March 25, 2013
What's Next in Mobile Payments?
I recently participated in two banking conferences that displayed the full spectrum of strategic options and plans of banks regarding mobile payments. The first event was the annual operations/technology conference of a statewide bankers' association with all the attendees being small- to mid-sized community banks. All these banks currently offer an online banking application to their customers; about half of these have customized their online banking application for mobile device usage. Only one bank indicated they had a mobile payments application currently in operation. I was surprised to find that only a couple other banks planned to offer a mobile payments application within the next 12–18 months.
Later in the day, a panel of four MBA graduate students from a prestigious business school of a private southeastern university gave their views on mobile payments. The objective of this panel was to help the bankers understand the key drivers of this demographic's banking relationships and needs. All four panel members indicated they frequently accessed their banks' online banking services with their mobile devices as well as their laptops and tablets. They also unanimously stated they would switch financial institutions if the banks didn't offer the service or if they began charging a fee for the service. Interestingly, only one panelist used the mobile payments application from his bank, and his usage was infrequent. The reasons the panel members gave for their disinterest in mobile payments included difficulty of use of a mobile phone versus a laptop or tablet for bill payment or little need for the service because they found their existing payment methods to be as or more convenient.
At the Bank Administration Institute's (BAI) Payments Connect 2013 conference the following week, a featured track of the two-and-a-half-day event was the wide range of marketing, operational, risk, and technology issues related to mobile banking and payments. The prognosis for mobile payments couldn't have been more optimistic, with a number of panelists declaring that the tipping point for mobile payments had been realized earlier in the year. They credited the adoption rate for smartphones and other indicators they believed to be key drivers. Of course, we have to realize that many expressing such optimism worked for a company that has a vested interest in the success of mobile payments. However, that optimism was supported by a number of research studies delivered during the conference that concluded that the rate of smartphone penetration, the growing volume of mobile payment transactions, and overall consumer attitudes would translate to successful mobile payments programs.
One of the questions bankers frequently asked during the BAI conference was what a panelist would recommend the bank do regarding their mobile payments strategy. While there were some slight variations, panelists consistently responded that banks should get involved now and try a number of different, small-scale strategies. Several panelists used the gambling analogy of placing a distributed number of bets of small amounts rather than going "all in" with one particular mobile payments scheme. They acknowledged that the technology winner(s) of mobile payments was far from certain at this point, with near field communication, QR codes, and cloud options all in different states of adoption and each with their individual advantages and disadvantages.
The practice of "spreading your bets" is certainly a valid risk management strategy, but how practical is such a strategy for small financial institutions? The large banks have their research-and-development budgets, IT development staff, and other resources that allow them to participate in multiple pilot programs, but smaller institutions do not have such resources. Most would be able to offer only a mobile payments program supported by their core application processing provider.
As with many new payment products in the past, larger banks have led the initial efforts, and the smaller banks followed suit after customer demand for the service became more certain and with the realization that not offer the service would put them at a competitive disadvantage. Could this be the reason many banks, especially the smaller ones, have been sitting on the sidelines for now until the mobile payments picture becomes a bit clearer? Let us know what you think.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 25, 2013 in mobile banking, mobile payments, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee9bac3b9970d
Listed below are links to blogs that reference What's Next in Mobile Payments?:
Comments
January 07, 2013
Boston Fed on mobile phone technology: "Smarter than we thought"
When it comes to mobile payments security, will the most secure solution win out, or will convenience rule the day? Mobile payment services are coming to market, however slowly, and as they do, security in supporting technology platforms is a critical consideration for merchants and consumers. In fact, many consumer surveys, such as this one released by the Federal Reserve Board, have reported that U.S. consumers consider security to be an important factor when deciding if they will use a mobile device to access financial information or engage in a payment service. Because security is a major contributor to the success and ultimate broad adoption of mobile payments, Boston Fed researchers examined how the primary technologies supporting mobile payments at the merchant point-of-sale address payments security. These technologies include near-field communication (or NFC) and cloud solutions.
This post looks at some of the high points of a paper written by the Boston Fed researchers about their analysis. The paper, published November 2012 and titled "Mobile phone technology: 'Smarter than we thought,'" discusses the unique characteristics of each technology and why security practices will vary accordingly.
NFC mobile payment options vary in security and convenience
The three primary approaches to NFC mobile payments all involve storing payment credentials in an encrypted smart card chip within the mobile phone. This chip, also known as the "secure element," may reside in the subscriber identity module (SIM) card, it may reside in the micro secure digital (SD)—or memory—card, or it may be hardwired into the actual device. Each of these approaches has benefits and disadvantages with respect to convenience and security.
For example, the SIM card's storage capability provides an additional layer of security. The wireless carrier can manage the SIM card remotely to prevent unauthorized access if the phone is lost or stolen or if the SIM card is removed. In other words, the mobile network operator controls access to the SIM card, which, depending on your perspective, may also be a drawback.
The memory card is also portable and communicates with apps to enable mobile payments. This method can be speedy to deploy. As a result, several U.S. banks, card networks, and transit authorities have piloted solutions using memory cards. However, these cards typically support only a single application or payment account, so they may not be the best long-term solution. Furthermore, their portability presents security concerns because there is no lock or PIN to prevent removal of the card from the phone and then subsequent unauthorized access to the payment information stored within it.
The third approach has the chip soldered into the hardware, making it relatively tamper-proof. Although it is less costly than the other NFC options, it provides no portability feature. So despite the stronger security features, this lack of portability makes this approach inconvenient because consumers cannot easily transfer payment credentials and applications when they switch phones.
Mobile payments in the cloud: A new security paradigm
While industry stakeholders were discussing the security options of NFC technology deployments, new alternatives emerged that rely on cloud computing. In cloud-based payment business models, the consumer's payment credentials are stored remotely on a server—which a merchant or payment services provider manages—as opposed to on the phone's hardware. Cloud-based services are less costly to deploy than NFC-based services. In addition, because they are hardware-agnostic, they are essentially portable and convenient for the consumer. In some ways, cloud-based payments can be more secure than in-phone solutions, since the consumer's payment credentials are not stored in the mobile phone and are not potentially exposed during transactions. However, it is still necessary to take steps to secure the remote storage of payment credentials and other important data. And, as the paper notes:
There are still many unknowns to be addressed. Because payments data can be compromised in the cloud, it is essential that: 1) payments data is not transmitted via SMS [short message service, or instant messaging] or email because these platforms are not encrypted; and 2) payments to the cloud are transmitted between secure, encrypted endpoints handled either by mobile carrier data networks or merchant-provided secure Wi-Fi hotspots, and are not transmitted unencrypted over any network.
Data privacy remains a critical concern
Cloud providers have a responsibility to protect consumer data. They must comply with privacy laws and obtain explicit permission before sharing data or mining it for other monetization opportunities. Ultimately, cloud providers must make sure that the underlying payment services are secure and resilient.
When it comes to new mobile payment methods in the cloud, how will we make sure that cloud service providers are fulfilling these responsibilities? This new paradigm requires new processes for vendor management, especially for banks in mobile payments. Banks will need to be able to demonstrate to regulators that they have conducted a comprehensive risk assessment on service offerings and done third-party due diligence at the onset of an outsourced relationship. Regulators must provide ongoing oversight for financial stability and fulfillment of contractual responsibility.
Complex business models likely will use combinations of technology
As the paper notes, it is likely that we will see hybrid models that use both NFC and the cloud for managing different pieces of information associated with a payments transaction. As we noted in a previous post, there are benefits and challenges to both NFC and cloud technologies. Numerous complex variables are at play when it comes to their security environments. As these technologies are likely to coexist, it will be important to understand the underlying security features as new mobile payment solutions come to market in the future.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
January 7, 2013 in consumer protection, mobile banking, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d3f94af97970c
Listed below are links to blogs that reference Boston Fed on mobile phone technology: "Smarter than we thought":
Comments
August 13, 2012
Tourism Traffic Boosts Prepaid Cards
Prepaid cards, at least until 2010, were the fastest growing payment method in the United States, according to the Fed's latest payments study. Their use is also growing in other markets, including Latin America in general and Brazil in particular, especially for funding tourism activities. Brazilian tourists are increasingly choosing rechargeable prepaid travel cards loaded with U.S. currency over cash. Interestingly, U.S. banks are also realizing economic benefits from tourists' move from cash to prepaid cards.
Growing South Florida tourism drives Brazilians to spend more
Brazilians make up the second largest tourist group to Florida, next to Canadians (3.3 million of whom visited the United States in 2011). Last year, approximately 1.5 million Brazilians visited Florida. They spent more than a billion dollars total, with a per-visit amount typically exceeding $5,000. Altogether, the Fed Atlanta's Miami Branch paid out $1.7 billion U.S. dollars to Brazil.
A number of factors are contributing to the rise in Brazilian tourists to Florida, including the high number of available flights, expedited processing for travel visas, significantly lower prices for many designer brands coupled with the absence of Brazilian import tax, and relatively cheaper real estate prices.
Brazilian tax rule, other factors influence credit card spending abroad But why are these tourists increasing choosing to use prepaid cards? In 2011, the Brazilian government imposed a new financial operations tax of 6.38 percent on foreign transactions made with Brazilian-issued credit cards. The tax, called the IOF—short for Imposto sobre Operações Financeiras—makes using credit cards abroad very unattractive for Brazilians.
Prepaid travel cards also offer more favorable exchange rates, and they insulate consumers against rate fluctuations by offering a fixed exchange rate on all purchases.
Banks in Brazil also benefit from prepaid cards used abroad. Transportation and custody expenses make it costly for Brazil's commercial banks to obtain and hold U.S. dollars. As a result, these banks are actively promoting prepaid cards. U.S. commercial banks quickly seized the opportunity to compete with their Brazilian counterparts by rolling out marketing campaigns in Brazil promoting the benefits of prepaid travel cards for U.S. travel.
All these conditions and incentives have combined to create a 50 percent rise in travel card applications by Brazilians shortly after the tax regulation was introduced.
Brazil offers an interesting case study of the growth in the use of prepaid payment cards. Just as U.S. consumers beyond the unbanked are recognizing the ease and convenience of this payment device, so are international consumers.
By Paul Graham, assistant vice president and branch operations officer, Miami Branch of the Federal Reserve Bank of Atlanta
August 13, 2012 in banks and banking, cards, payments, prepaid | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0177441bd526970d
Listed below are links to blogs that reference Tourism Traffic Boosts Prepaid Cards:
Comments
June 18, 2012
MintChip: Sounds like ice cream, but it's actually money
A common topic of conversation in payments for many years has been the notion of a cashless society. Although it is hard to imagine a truly cashless society, it is easy to envision what Ron Shevlin, an analyst with the Aite Group, recently referred to as a "less-cash society." Established alternatives to cash, such as credit, debit, and prepaid cards, have been steadily replacing cash payments for years. However, there still remain individuals who prefer cash to other payment means for a variety of reasons, including the anonymity cash provides.
As an alternative to cash payments, new digital currencies have been conceived. While these digital currencies allow for anonymity like cash, they have traditionally not been backed by an asset or a central back. At least up until now. In April, the Royal Canadian Mint (The Mint) announced the development of MintChip, a digital currency backed by the Canadian dollar. The Mint is currently accepting MintChip payment applications from software developers.
Prior to the MintChip announcement, The Mint made headlines as the Canadian government announced in March the elimination of the penny. The Mint produced its last penny on May 4 with the goal of removing the penny from circulation by the fall of this year. So within several months, the Canadian Mint quits producing the penny while developing a new digital currency.
I believe that The Mint is sensing a true opportunity with MintChip in light of a threat to its traditional business as the world moves to a less-cash society. Faced with the threat of a loss of production in coins, the Mint is attempting to capitalize on the demand for a digital currency to make micropayments for goods and services in both the online and physical world. And while MintChip might not provide as much anonymity as other digital currencies, such as BitCoin and Liberty Reserve (which we looked at in an October 2011 post), its backing by the Canadian dollar might make it a more viable alternative to cash and coins.
It will be interesting to watch the developments of MintChip over the next several months as The Mint will select the best applications submitted by outside developers. Should MintChip gain traction in Canada, it is feasible that The Mint will port this concept to other countries where it currently manages the production of coins. (Over time, Canada has made coins for almost two dozen countries, including the Bahamas, Bermuda, Cayman Islands, Iran, and Venezuela.)
The global opportunity in the digital currency space is enormous: there were six billion mobile subscriptions across the globe at the end of 2011, according to the International Telecommunication Union. If MintChip proves to be successful, would the United States Mint attempt to follow suit? And what, if any, would be the regulatory challenges and implications of a digital currency produced by the United States Mint and backed by the U.S. dollar?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 18, 2012 in emerging payments, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016767a69aee970b
Listed below are links to blogs that reference MintChip: Sounds like ice cream, but it's actually money:
Comments
June 04, 2012
The new consumer protection agency looks at prepaid cards
The prepaid card industry has grown faster than many expected it to in recent years. The industry has a wide range of customers today, including not only the underbanked market but also many other market segments. In fact, in a public hearing on May 23, 2012, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray noted that while many consumers "actually have a bank account, they often use nonbank products to meet their financial needs," including the relatively new prepaid card. As this product has grown in acceptance, consumer advocacy groups have voiced concerns about the potential lack of consumer protections and the need for regulatory clarity for prepaid product providers. In response to these concerns, the CFPB announced its plan to launch a rulemaking initiative to promote safety and transparency in the prepaid market.
Why legal protections differ
While payment law critics cite the fragmented legal landscape for retail payment methods, the differences lie in the underlying mechanics. In the simplest of terms, retail payments can be segmented into three basic genres: "paying now" through a deduction in your account balance at a financial institution through either a check or debit card; "paying later" by using a credit card, which involves a loan from the payment service provider to cover the cost of the purchase in the transaction; and "paying before," by prefunding an account by the consumer for use at a later time.
These inherent funding differences lend themselves to different laws, regulations, and rule sets, since the timing and liability for maintaining the safety of the funds in each case differs. Consumer lending protection laws, for example, have relevance only for credit payment products. The emergence of new prepaid products and nonbanks participating in new business models, along with the sometimes questionable pricing schemes and fees, points to the need for industry dialogue on what new regulatory governance is needed in prepaid services today.
Growth in prepaid
The Federal Reserve’s last triennial payment study revealed that prepaid cards, particularly the general-purpose reloadable (GPR) variety, were the fastest growing retail payment in recent years, even though they represent a relatively small piece of the overall pie of preferred retail payment types. GPR cards allow the consumer—or another party, like an employer—to add funds to the card. This reloadable feature makes the product functional and convenient, and allows consumers who traditionally relied on cash to participate in the electronic economy.
Increased e-commerce is in turn leading to the use of prepaid in the mobile environment. Payment providers have been experimenting in recent years with bridge technologies such as prepaid card stickers using contactless technology. The sticker is put on the mobile handset, and is intended to influence consumer payment behavior by offering consumers the opportunity to tap their mobile phones at the merchant’s point of sale. As a result, the advanced notice of rulemaking notes that a prepaid "card" may also take the form of other access devices, such as key fobs, or even a cell phone application that accesses a prepaid financial account.
What the CFPB is offering consumers
When it comes to prepaid cards, the public hearing made it clear that the CFPB wants to make sure, first and foremost, that consumers’ funds are safe, especially because not all prepaid accounts are structured so that they are protected by deposit insurance. The agency also wants to make sure that consumers have access to clearly written disclosures on card terms and fees before they even open a prepaid account. In the hearing, the CFPB also discussed a proposal to extend Regulation E protections to include GPR cards specifically. Furthermore, the CFPB also launched "Ask CFPB: Prepaid Cards" on its website to provide consumers with information about prepaid cards in a question-and-answer format.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
June 4, 2012 in consumer protection, payments, prepaid | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ec128349970c
Listed below are links to blogs that reference The new consumer protection agency looks at prepaid cards:
Comments
May 29, 2012
Are social security numbers still secure enough for payments?
Identity authentication is becoming increasingly important today as consumers conduct more and more social interactions, commerce, and financial transactions online. Many emerging payment methods are conducted electronically today and will no longer involve the face-to-face interactions that have provided an additional layer of security for our traditional retail payments environment. Unfortunately, our primary means of personal identification is the social security number, and it is becoming more vulnerable to compromise. How do we mitigate the risks in innovative payments going forward with traditional identification methods?
A well-intended system
The social security number was created in 1936 as a way to track workers' benefits for the new pension program. At the time, no other use for the number was envisioned. In 1943, however, President Roosevelt signed an executive order allowing other government agencies to use social security numbers. Today, the numbers are the primary identifiers for many government functions, including filing taxes, receiving all manner of benefits, and enlisting in the military. Social security numbers are also widely used in the private sector, especially in the healthcare and financial industries. They have become the default identifier used by healthcare providers, insurers, credit bureaus, banks, and others when signing up new customers.
Social security numbers—not so secure
You probably believe that your social security number is private. You probably assume that it's kept private by those who use it to verify your identity. But how many different people have seen your number, or some part of it, in the past decade? It's out there every time you've gone to a new healthcare provider, signed up for a new insurance plan, or applied for a credit card, bank account, or cell phone plan. Researchers have even developed an algorithm for guessing a person's number using just their place and date of birth.
The problem with such widespread use of social security numbers is that they are easily exposed and vulnerable to use in identity theft and related crimes, including various types of payment fraud. It goes without saying that new identification and authentication methods will be needed in the future to ensure that the personal information accessible via social security numbers can be protected and kept secure.
Mitigating compromise and improving personal authentication
In 2008, the Federal Trade Commission (FTC) developed recommendations on preventing the misuse of social security numbers for identity theft. First, they recommend using multifactor authentication, including additional processes in addition to the social security number. The FTC recommends further that, whenever possible, users should restrict the public display and transmission of social security numbers from applications, identity cards, and other documents. As crimes in electronic networks grow more prevalent, it will be increasingly important that the industry use multifactor authentication practices to combat the threat of outmoded personal identification methods.
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
May 29, 2012 in identity theft, payments, privacy | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ebead296970c
Listed below are links to blogs that reference Are social security numbers still secure enough for payments?:
Comments
Posted by:
Ketharaman Swaminathan |
May 31, 2012 at 06:49 AM
April 09, 2012
Mobile payments malware: Assault and low battery
According to Dr. Markus Jakobsson, principal scientist at PayPal, malware is moving to the mobile channel as mobile handsets replace PCs. Criminals are businessmen and subsequently go for market size in their exploits. Within a year, he says we will see more handsets than PCs, and we can also expect to see more mobile abuse trends as a result. An interview of Markus on YouTube provides some startling facts and general insights on mobile security challenges and trends.
I first wrote about the emerging threat of malware migrating from PCs to the mobile channel in a July 2010 post titled "The confluence of payments, social networks, and malware: Elements of a perfect storm?" As Portals and Rails readers well know, mobile banking and payments and accessing payments via social networking were just beginning to take off. The post noted that the rapid pace of mobile application innovation and deployment creates vulnerabilities in payment systems accessed via mobile devices. Markus's interview reveals why malware-related intrusions are expected to become more commonplace in the mobile channel and offers some thoughts on a new paradigm for thinking about mobile security.
Mobile handset is a social device as well as a computer
This is the big issue. While numerous consumer behavioral surveys report that consumers are concerned about privacy and security, they treat the handset as a social device to interact quickly with websites, businesses, and other people. In short, consumers trust their mobile devices and value the ability to access social media. As a result, they often fail to adopt available safeguards such as password locks. Jakobsson says that people tend to dislike passwords because they are slow to enter and it's easy to make a fat-finger error. As a result, they opt to operate without cumbersome passwords. Jakobsson asserts that we need a new paradigm to encourage safe authentication going forward.
The problem with virus protection for mobile phones
Consumers don't think of their handsets as computers, but they actually are computers, except that they don't have equivalent battery resources. This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion. Jakobsson says this is fine if you have only a few instances of malware, but frequent incidents require more frequent scanning, which drains the battery. This is going to be a problem for mobile devices, a problem that to date has not received much recognition.
The root cause: Spoofing and spam
Some problems are beginning to arise with fraudulent apps that divert the user to an unintended website. Spoofing, the practice of sending forged e-mails or directing users to malicious websites, is a critical risk that is hard to manage. According to Key Findings of the 2010 Email MAAWG Security Awareness and Usage Survey, consumers admit to risky behaviors online, with four out of ten admitting to opening an e-mail they suspected was spam. The Messaging Anti-Abuse Working Group (or MAAWG) also reported that younger users are more likely than older users to open suspicious e-mails and click on links.
Mobile ecosystem will require different assumptions about security
As e-commerce increasingly moves to the mobile channel, handsets and networks will require new protections to protect data used for identity and payments. As consumers share more information via their handsets in social media and broadcast their geolocations to merchants, the mobile channel will become more vulnerable to criminal activity. Malware exposure will occur cross platform through gaming and social applications that are not suitably policed. While mobile malware circulation is not yet prevalent, the projected growth of mobile platforms versus traditional computers will make mobile an attractive target for organized crime. Industry stakeholders should consider the prospective risks of malware in discussions on mobile payments security.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
April 9, 2012 in malware, mobile banking, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016303e2a50c970d
Listed below are links to blogs that reference Mobile payments malware: Assault and low battery:
Comments
April 02, 2012
What defines an efficient market?
"There was an active debate on whether the Reserve Banks should be involved in card-based systems, but we concluded that card systems were not something that the Reserve Banks needed to become operationally involved in. [We concluded] that the private sector was developing these systems appropriately on their own, and that it didn't need public sector intervention." (From Louise Roseman's keynote address at the November 2011 Retail Payments Risk Forum conference, "The Role of Government in Payments Risk and Fraud.)
I recently re-watched video clips from Louise Roseman's keynote address at our November 2011 Retail Payments Risk Forum conference. In these clips, Roseman, who is the director of Reserve Bank operations and payment systems at the Board of Governors, explained that the Fed occasionally, but not always, provides payments services. She mentioned that when credit cards started to appear, the Fed debated whether or not they had a role in that market. However, the Fed determined that the market was functioning well enough on its own and that intervention was not justified.
Roseman discussed a contrasting example of when the Fed did intervene in a market: check clearing in the 1910s. In the 20th century, paper checks had to be physically presented at the bank they were drawn on in order to clear. While this process was easy for checks drawn on and deposited at banks located in the same major city, it was much more difficult for checks that had to travel inter-city or were drawn on country banks. To process these out-of-town checks, banks had to manage multiple correspondent relationships. Across banks and clearinghouses, this meant frequent handling and duplication of effort. And when a receiving bank did not have a correspondent relationship with the paying bank, these checks did not clear at par—that is, paying banks charged presentment fees for settling checks with noncorrespondents.
To minimize presentment fees, banks would sometimes send checks on a circuitous route. What follows is a real example of one check's meanderings. (This journey is documented in Clearing Houses and Credit Instruments, a 1911 publication of the National Monetary Commission.) Woodward Brothers of Sag Harbor, NY, wrote a check for $43.56 from its account at the Peconic Bank to Berry, Lohman, and Rasch of Hoboken, NJ. The check was deposited at the Second National Bank of Hoboken. The Second National Bank of Hoboken sent the check to Harvey Fisk and Sons, of New York, who sent the check to the Globe National Bank of Boston, who sent it to the First National Bank of Tonawanda (on the far western border of New York). From Tonawanda, the check made its way to the National Exchange Bank of Albany, was forwarded to the First National Bank of Port Jefferson, went on to the Far Rockaway Bank, and ended up going back to the Big Apple at Chase National Bank. From Chase, the check went to Queens County Bank of Brooklyn, and finally back to the Peconic Bank of Sag Harbor!
At the time, many bankers pushed for the Fed to provide check clearing to reduce these inefficiencies. The Fed obliged, which resulted in savings to the whole market and all checks clearing at par.
Check clearing is just one example of a payment system in which the Fed could improve the overall efficiency of clearing and settlement processes. Are there other markets for which we could replicate this success? What defines an efficiently functioning market?
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
April 2, 2012 in checks, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e9905116970c
Listed below are links to blogs that reference What defines an efficient market?:
Comments
February 21, 2012
Security in the mobile wallet: Is it good enough yet?
For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.
But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.
Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.
A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:
"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."
It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.
Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.
Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.
Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d
Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:
Comments
November 28, 2011
Portals and Rails welcomes new director of Retail Payments Risk Forum
On August 31, we said farewell to our director, Rich Oliver, when he officially retired from the Retail Payments Risk Forum after 38 years with the Federal Reserve. With his many accomplishments and significant contributions to the Fed, to the Forum, and to research in the payments industry, Rich left behind some pretty big shoes, and we've been looking for someone to fill them. Well, we've found someone more than capable of walking in these shoes, and we'd like to invite you to join the Portals and Rails team in welcoming the Forum's new director, Mary Kepler. On December 1, Mary will step into her new shoes—uh, role—overseeing the Forum and maintaining District and System-level relationships with industry executives and organizations in the payments arena and in payments risk and fraud prevention.
Now, we're not to going to divulge Mary's shoe size, because we're really only speaking metaphorically here and would never comment on anything so personal in such a public forum, but we can tell you about Mary's path that has brought her to us. She certainly comes to her new position with a variety of relevant experience, most recently as the vice president of Financial Management and Planning (FM&P) here at the Atlanta Fed.
Mary originally came to the Atlanta Fed in 1992, moving from the Kansas City Fed, so she has a long history with us. She joined the Atlanta Fed in Supervision and Regulation department and was soon promoted to relationship manager with the AmSouth Bancorporation. In 1998, she moved to the automation operations department, where she was assistant vice president until 2002, when she became vice president. Mary joined the Retail Payments Office in 2003 and for two years served as the Federal Reserve System liaison to the U. S. Treasury Department for retail payment services that the System provides to the U.S. Treasury.
From 2005 to 2006, Mary was senior human resources officer. She chaired the Bank's Human Resources Committee and was an advisor to the Bank's Management Committee. She then became senior officer over FM&P.
As you can see, Mary comes to the Retail Payments Risk Forum well qualified. We look forward to embarking on this next phase of our journey under her capable, proven leadership. So please help us congratulate Mary on her new position, wish her continued success, and tell her she wears her new shoes well.
By Cynthia Merritt, assistant director, Douglas A. King, payments risk expert, and Jennifer C. Windh, payments risk analyst, all of the Retail Payments Risk Forum
November 28, 2011 in payments, payments risk, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01543788a5ad970c
Listed below are links to blogs that reference Portals and Rails welcomes new director of Retail Payments Risk Forum:
FFIEC came up with guidelines for 2FA around seven years ago and followed it up with some more guidelines this year. Despite the passage of so much time and the fact that virtually all other large nations have adopted 2FA, banks and e-commerce merchants in the US are conspicuous by their absence of following even the basics of strong authentication like VbV, etc. Is this because 2FA introduces additional friction and / or false positives that result in greater revenue losses than potential loss by fraud? Given where US is, is there any evidence that fraud loss as a percentage of transaction value is higher in the USA than elsewhere in the world?