April 09, 2012
Mobile payments malware: Assault and low battery
According to Dr. Markus Jakobsson, principal scientist at PayPal, malware is moving to the mobile channel as mobile handsets replace PCs. Criminals are businessmen and subsequently go for market size in their exploits. Within a year, he says we will see more handsets than PCs, and we can also expect to see more mobile abuse trends as a result. An interview of Markus on YouTube provides some startling facts and general insights on mobile security challenges and trends.
I first wrote about the emerging threat of malware migrating from PCs to the mobile channel in a July 2010 post titled "The confluence of payments, social networks, and malware: Elements of a perfect storm?" As Portals and Rails readers well know, mobile banking and payments and accessing payments via social networking were just beginning to take off. The post noted that the rapid pace of mobile application innovation and deployment creates vulnerabilities in payment systems accessed via mobile devices. Markus's interview reveals why malware-related intrusions are expected to become more commonplace in the mobile channel and offers some thoughts on a new paradigm for thinking about mobile security.
Mobile handset is a social device as well as a computer
This is the big issue. While numerous consumer behavioral surveys report that consumers are concerned about privacy and security, they treat the handset as a social device to interact quickly with websites, businesses, and other people. In short, consumers trust their mobile devices and value the ability to access social media. As a result, they often fail to adopt available safeguards such as password locks. Jakobsson says that people tend to dislike passwords because they are slow to enter and it's easy to make a fat-finger error. As a result, they opt to operate without cumbersome passwords. Jakobsson asserts that we need a new paradigm to encourage safe authentication going forward.
The problem with virus protection for mobile phones
Consumers don't think of their handsets as computers, but they actually are computers, except that they don't have equivalent battery resources. This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion. Jakobsson says this is fine if you have only a few instances of malware, but frequent incidents require more frequent scanning, which drains the battery. This is going to be a problem for mobile devices, a problem that to date has not received much recognition.
The root cause: Spoofing and spam
Some problems are beginning to arise with fraudulent apps that divert the user to an unintended website. Spoofing, the practice of sending forged e-mails or directing users to malicious websites, is a critical risk that is hard to manage. According to Key Findings of the 2010 Email MAAWG Security Awareness and Usage Survey, consumers admit to risky behaviors online, with four out of ten admitting to opening an e-mail they suspected was spam. The Messaging Anti-Abuse Working Group (or MAAWG) also reported that younger users are more likely than older users to open suspicious e-mails and click on links.
Mobile ecosystem will require different assumptions about security
As e-commerce increasingly moves to the mobile channel, handsets and networks will require new protections to protect data used for identity and payments. As consumers share more information via their handsets in social media and broadcast their geolocations to merchants, the mobile channel will become more vulnerable to criminal activity. Malware exposure will occur cross platform through gaming and social applications that are not suitably policed. While mobile malware circulation is not yet prevalent, the projected growth of mobile platforms versus traditional computers will make mobile an attractive target for organized crime. Industry stakeholders should consider the prospective risks of malware in discussions on mobile payments security.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
April 9, 2012 in malware, mobile banking, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016303e2a50c970d
Listed below are links to blogs that reference Mobile payments malware: Assault and low battery:
Comments
April 02, 2012
What defines an efficient market?
"There was an active debate on whether the Reserve Banks should be involved in card-based systems, but we concluded that card systems were not something that the Reserve Banks needed to become operationally involved in. [We concluded] that the private sector was developing these systems appropriately on their own, and that it didn't need public sector intervention." (From Louise Roseman's keynote address at the November 2011 Retail Payments Risk Forum conference, "The Role of Government in Payments Risk and Fraud.)
I recently re-watched video clips from Louise Roseman's keynote address at our November 2011 Retail Payments Risk Forum conference. In these clips, Roseman, who is the director of Reserve Bank operations and payment systems at the Board of Governors, explained that the Fed occasionally, but not always, provides payments services. She mentioned that when credit cards started to appear, the Fed debated whether or not they had a role in that market. However, the Fed determined that the market was functioning well enough on its own and that intervention was not justified.
Roseman discussed a contrasting example of when the Fed did intervene in a market: check clearing in the 1910s. In the 20th century, paper checks had to be physically presented at the bank they were drawn on in order to clear. While this process was easy for checks drawn on and deposited at banks located in the same major city, it was much more difficult for checks that had to travel inter-city or were drawn on country banks. To process these out-of-town checks, banks had to manage multiple correspondent relationships. Across banks and clearinghouses, this meant frequent handling and duplication of effort. And when a receiving bank did not have a correspondent relationship with the paying bank, these checks did not clear at par—that is, paying banks charged presentment fees for settling checks with noncorrespondents.
To minimize presentment fees, banks would sometimes send checks on a circuitous route. What follows is a real example of one check's meanderings. (This journey is documented in Clearing Houses and Credit Instruments, a 1911 publication of the National Monetary Commission.) Woodward Brothers of Sag Harbor, NY, wrote a check for $43.56 from its account at the Peconic Bank to Berry, Lohman, and Rasch of Hoboken, NJ. The check was deposited at the Second National Bank of Hoboken. The Second National Bank of Hoboken sent the check to Harvey Fisk and Sons, of New York, who sent the check to the Globe National Bank of Boston, who sent it to the First National Bank of Tonawanda (on the far western border of New York). From Tonawanda, the check made its way to the National Exchange Bank of Albany, was forwarded to the First National Bank of Port Jefferson, went on to the Far Rockaway Bank, and ended up going back to the Big Apple at Chase National Bank. From Chase, the check went to Queens County Bank of Brooklyn, and finally back to the Peconic Bank of Sag Harbor!
At the time, many bankers pushed for the Fed to provide check clearing to reduce these inefficiencies. The Fed obliged, which resulted in savings to the whole market and all checks clearing at par.
Check clearing is just one example of a payment system in which the Fed could improve the overall efficiency of clearing and settlement processes. Are there other markets for which we could replicate this success? What defines an efficiently functioning market?
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
April 2, 2012 in checks, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e9905116970c
Listed below are links to blogs that reference What defines an efficient market?:
Comments
February 21, 2012
Security in the mobile wallet: Is it good enough yet?
For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.
But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.
Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.
A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:
"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."
It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.
Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.
Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.
Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d
Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:
Comments
November 28, 2011
Portals and Rails welcomes new director of Retail Payments Risk Forum
On August 31, we said farewell to our director, Rich Oliver, when he officially retired from the Retail Payments Risk Forum after 38 years with the Federal Reserve. With his many accomplishments and significant contributions to the Fed, to the Forum, and to research in the payments industry, Rich left behind some pretty big shoes, and we've been looking for someone to fill them. Well, we've found someone more than capable of walking in these shoes, and we'd like to invite you to join the Portals and Rails team in welcoming the Forum's new director, Mary Kepler. On December 1, Mary will step into her new shoes—uh, role—overseeing the Forum and maintaining District and System-level relationships with industry executives and organizations in the payments arena and in payments risk and fraud prevention.
Now, we're not to going to divulge Mary's shoe size, because we're really only speaking metaphorically here and would never comment on anything so personal in such a public forum, but we can tell you about Mary's path that has brought her to us. She certainly comes to her new position with a variety of relevant experience, most recently as the vice president of Financial Management and Planning (FM&P) here at the Atlanta Fed.
Mary originally came to the Atlanta Fed in 1992, moving from the Kansas City Fed, so she has a long history with us. She joined the Atlanta Fed in Supervision and Regulation department and was soon promoted to relationship manager with the AmSouth Bancorporation. In 1998, she moved to the automation operations department, where she was assistant vice president until 2002, when she became vice president. Mary joined the Retail Payments Office in 2003 and for two years served as the Federal Reserve System liaison to the U. S. Treasury Department for retail payment services that the System provides to the U.S. Treasury.
From 2005 to 2006, Mary was senior human resources officer. She chaired the Bank's Human Resources Committee and was an advisor to the Bank's Management Committee. She then became senior officer over FM&P.
As you can see, Mary comes to the Retail Payments Risk Forum well qualified. We look forward to embarking on this next phase of our journey under her capable, proven leadership. So please help us congratulate Mary on her new position, wish her continued success, and tell her she wears her new shoes well.
By Cynthia Merritt, assistant director, Douglas A. King, payments risk expert, and Jennifer C. Windh, payments risk analyst, all of the Retail Payments Risk Forum
November 28, 2011 in payments, payments risk, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01543788a5ad970c
Listed below are links to blogs that reference Portals and Rails welcomes new director of Retail Payments Risk Forum:
Comments
September 26, 2011
I can’t use my prepaid card for that now?
The focus of the Portals and Rails blog is usually related to fraud or operational risks to the payments system. Today's blog will take a look into a different type of risk, the risk of reduced functionality for general purpose reloadable (GPR) prepaid cards. An interesting development with GPR prepaid cards has risen out of the recent Regulation II (Reg II) ruling. Considering that 1.3 billion general purpose prepaid card transactions were conducted in 2009, according to the 2010 Federal Reserve Payments Study, changes affecting GPR prepaid cards could affect many people.
Reg II, which was instituted in response to the statute commonly referred to as the Durbin Amendment, has an unintended consequence. Consumers risk losing some payment functionality with prepaid cards, including the ability to have funds auto-drafted via ACH from GPR prepaid cards. The risks of unintended consequences such as this one has not gone unnoticed by the Federal Reserve Board. In fact, during the June 29 Open Board Meeting, Governor Duke expressed her concern on this topic and would eventually like the Board to "undertake a study to quantify the overall effect of this rule on consumers."
With the Reg II interchange cap set to go into effect on October 1, many institutions are implementing new checking account fees and debit card fees that will undoubtedly make checking accounts and debit cards costlier for consumers. However, outside of eliminating or reducing rewards, institutions will offer consumers the same benefits and functionality for debit cards as they did before Reg II. It does not appear that the same can be said for the functionality and convenience of GPR prepaid cards.
To be exempt from the interchange cap, a GPR prepaid card must be the only means for a consumer to access the funds on that card or the card issuer must qualify for the small-issuer exemption (assets of less than $10 billion). If the consumer can access funds on a GPR prepaid card issued by a large issuer (assets of $10B or more) with a check, ACH, wire, or other account transfer method, then the card is viewed as a "deposit account" and therefore not exempt from the Reg II interchange cap. It was critical that the regulation include this language concerning GPR prepaid cards to prevent the widespread evasion of the interchange cap by issuers labeling traditional debit cards and their underlying deposit accounts as prepaid cards.
Conceivably, a GPR prepaid card issuer could be exempt from the Reg II interchange cap by eliminating payment functionality beyond the purchasing function of the prepaid card. Under this scenario, consumers would no longer be able to use their GPR prepaid cards to auto-draft funds via ACH from the card to pay recurring bills, such as utility bills.
According to recent comments by the CEO of Green Dot, the largest GPR prepaid card program manager, "all Green Dot managed programs, including our Walmart MoneyCard program, will be exempt from interchange restrictions under the Durbin interchange amendment and therefore, our programs will not be subject to lower interchange." A recent article in the American Banker noted that Green Dot would need to either remove features of its cards or switch bank issuers (neither of Green Dot's current issuers can qualify as small) for its cards to be exempt from the interchange cap.
Implications for GPR prepaid card users
With Green Dot cards set to be exempt from the Reg II interchange cap, many GPR prepaid card users should prepare for the loss of the direct debit functionality of their cards. And with the loss of this payment option, prepaid card users that currently use their cards' direct debit functionality to pay bills will now be more at risk of making late payments and having to pay the accompanying late fees. Furthermore, because many recurring billers, including utility companies, often charge a fee for card-based payments, GPR prepaid card users can expect to pay a service fee for paying some of these bills. To avoid these service fees for card-based payments, GPR prepaid card users may be forced to make cash payments in person, which can be both inconvenient for the consumer and costly for the biller.
A final thought
Perhaps the most surprising information from the Green Dot announcement is the fact that the WalMart Money Card will also be exempt from the interchange cap. With merchants being some of the biggest proponents of the Reg II interchange cap, it's interesting to learn that a merchant cobranded prepaid card will be stripped of a feature that provides consumers with a free, safe, and convenient way to pay bills all in the name of earning the higher interchange and presumably maintaining low costs for consumers. Given the utility of GPR prepaid cards for the un- and underbanked population, will removing electronic payment functionality from the cards further disenfranchise these consumers from banks? Or would increasing consumers' cost for the product to maintain its current functionality lead this segment away from electronic payments and back to cash?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 26, 2011 in payments, prepaid, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015391e1f729970b
Listed below are links to blogs that reference I can’t use my prepaid card for that now?:
Comments
Posted by:
dave fortney |
October 03, 2011 at 10:25 AM
How absurd that a piece of legislation intended to curb debit interchange earnings for banks is singling out transactions that do not generate any interchange (ACH, checks).
Under-banked people encouraged by the government to receive their tax refunds into prepaid cards will be delighted to learn that they can no longer pay their bills conveniently with the money received...
There are plenty of non-evil large banks that will think twice before offering prepaid cards as an entry product, if the cards loose a large part of their usefulness.
Posted by:
Patrice Peyret |
September 27, 2011 at 09:02 PM
September 19, 2011
The prepaid market: Growth and sophistication mean more risk
FinCEN has released its final rule on prepaid products, and a key feature expands the Bank Secrecy Act (BSA) compliance obligations to include providers and sellers of certain types of prepaid access devices. In March, we discussed FinCEN's proposed rule on prepaid products. The rule was drafted with the intent to address potential money laundering risks in prepaid access devices.
The final rule, released July 29, also replaces the term "stored value" with "prepaid access." The purpose of changing the nomenclature was to cast a broader net by covering not only prepaid access devices like cards, but also emerging prepaid access devices such as key fobs and mobile phones. The new definition is broad enough to cover any type of device that can serve as a portal to funds that have been paid for in advance and are retrievable and transferable.
Prepaid access devices are available in a wide variety of formats. Some types of prepaid access devices come in the typical card format, while others can exist in virtual form, such as an electronic serial number.
Growth of prepaid access
There is good reason for FinCEN's interest in prepaid products. Growth in consumer adoption and increased government activity (payout of government benefits, including unemployment and social security, among others) have accelerated the acceptance rate of prepaid products in recent years. Mercator Advisory Group predicts in its
Seventh Annual Prepaid Market Forecast that the total dollars loaded onto prepaid cards may climb to $672 billion by 2013.
The Office of the Comptroller of the Currency (OCC) has also responded to the growth and sophistication of the prepaid market by releasing guidance to national banks that offer prepaid products with advanced functionality. The guidance advises national banks to develop comprehensive risk management policies and procedures to guard against potential fraud. The OCC expressed that prepaid products offering features such as international funds transfers, card-to-card transfers, and Internet transfers can potentially expose banks to a variety of risks that may not be in line with the banks' business strategies or risk appetites.
Newly regulated entities: Sellers and providers of prepaid access
Providers of prepaid access are now required to comply with the Bank Secrecy Act's regulations related to Money Services Business (MSB). Some of those requirements entail maintaining adequate anti-money laundering programs. The type of BSA program will depend on the risk appetite, size, customer base, and geography of the sellers and providers.
Under the new rule, prepaid access providers must retain transaction-specific records generated in the ordinary course of business for five years. The records collected must be easily accessible upon request from FinCEN or other law enforcement. Both providers and sellers of prepaid access are subject to Suspicious Activity Reporting (SAR) and Currency Transaction Reporting (CTR), but only providers are required to register with FinCEN once every two years.
Prepaid products exempted
For the first time, closed loop prepaid products are regulated if more than $2,000 can be loaded on the device on a given day. FinCEN acknowledged that although closed loop prepaid access is generally considered an unattractive, inefficient, and unlikely means of moving large sums of illicit money, law enforcement cautioned FinCEN that closed loop prepaid access in large dollar amounts can be vulnerable to criminal enterprises intending to launder funds. This partial exemption for closed loop prepaid access addresses law enforcement's money laundering concerns regarding a limited segment of closed loop prepaid access market, while still exempting the retail sale of closed loop prepaid of $2,000 or less.
Also regulated for the first time is low-value ($1,000 or less/day) open loop prepaid access, if it can be used internationally, transferred between or among other persons (P2P), or reloaded by a nonbank. The restrictions placed on the open loop prepaid access are based on the device's functionality and not on what it can be used to purchase.
Exempt from most of the new rule are prepaid access devices that FinCEN determined posed a decreased risk of money laundering, terrorist financing, and other criminal activities. Those devices include prepaid access to funds for payroll, government benefits, and incentives, so long as the funds cannot be used internationally, do not have P2P capabilities, and cannot be reloaded by a nonbank.
The rule's effective date is September 27, 2011. However, compliance for registration of MSBs does not take effect until January 29, 2012.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
September 19, 2011 in payments, prepaid, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8bac9807970d
Listed below are links to blogs that reference The prepaid market: Growth and sophistication mean more risk:
Comments
September 12, 2011
Retail Payments Risk Forum publishes discussion paper on peer-to-peer payments
Peer-to-peer (P2P) payment products are some of the most innovative developments from the payments industry in the past decade. Consumers have never had so many payment choices. Alongside a host of recent entrants like PayPal and CashEdge, longstanding industry players like Fiserv, Visa, and MasterCard all offer P2P products. Additionally, three major banks have announced a collaborative P2P initiative called ClearXchange.
Despite this range of innovative offerings, however, the industry lacks a standard understanding of how the various P2P payments in the market work. Further, consumers and businesses are also confused by the many options, and a lack of familiarity may be a source of the inertia that keeps consumers relying on cash and checks for most P2P payments.
The Retail Payments Risk Forum recently published a working paper on P2P payments as a resource for regulators, consumers, and the payments industry in general. The paper offers a framework to organize a discussion of P2P payments and evaluate the associated risks. This framework should help bankers and regulators better manage the risk exposure of different P2P products currently in the market. The framework categorizes transactions by counterparties, access channel, funds load and receipt instruments, and settlement network. Any P2P payment can be mapped across this lifecycle into categories that are mutually exclusive and comprehensively exhaustive.
Consumers send P2P payments by first initiating the transaction through an access channel. Traditionally limited to face-to-face, mail, or bank branches, today you can send payments at a kiosk, online, or even with your mobile phone. The payment funds are loaded and received through an instrument like cash, a bank account, credit card, or prepaid balance. In the background, the funds clear and settle over traditional networks, including ACH, wire, and card networks.
The paper goes on to detail specific P2P payments with case studies indicating how a provider fits across the payment lifecycle. Two of the covered providers have been mentioned in this blog before: Western Union and CashEdge's PopMoney.
In a Western Union P2P transaction, both counterparties are consumers. The sender can initiate a payment at an agent location, a kiosk, or online, or by using their mobile phone in some limited markets. The sender can fund the transaction using cash or a credit, debit, or prepaid card. Senders can also use their account and routing numbers to fund transactions made online or by mobile. Western Union has been proactive in expanding the access channels and funding instruments available to remittances senders. The transaction clears by ACH in countries where the network is available, and by wire in other geographies. Finally, the recipient can receive the funds as cash, or can direct them to their bank account using account and routing numbers.
Consumers can use CashEdge's Popmoney to send a payment to another consumer or to a small business, and can access the service through online or mobile banking. The payment is funded from the sender's bank account using the account and routing number, and the recipient receives funds into their bank account the same way. CashEdge recently partnered with MoneyGram, an international money transmitter, and some recipients may be able to pick up their payment in cash at MoneyGram agents around the globe. Transactions are usually settled via ACH, although recent partnerships with EFT networks enable card network settlement as a speedier option in some cases.
The working paper concludes by discussing some of the risks of P2P payments. P2P payments may seem new and unprecedented from the industry and media buzz surrounding them, but, as described above, most P2P payments actually rely on traditional networks and banking channels. Therefore, the risks posed by P2P payments are not original, but rather map to the risks of the underlying payment type. The risk profile of each P2P product must be evaluated across the specific use case, access channel, and settlement network, a specific risk profile. A one-size-fits-all risk management plan cannot work for such a diverse market. Finally, in evaluating the risk of P2P payments, consumers, banks, and third parties should make comparisons to the status quo of cash and check transactions. Many times new products will offer benefits in terms of efficiency and innovation that may outweigh their greater risk, and in some cases the risk of new products may be lower than that of the status quo.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
September 12, 2011 in innovation, P2P, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0153918b35ab970b
Listed below are links to blogs that reference Retail Payments Risk Forum publishes discussion paper on peer-to-peer payments:
Comments
August 29, 2011
Seeing what dimly lies in the distance: Parting thoughts on addressing payments system risk
As this post for Portals and Rails runs, it is likely that my concerns about fraud may be starting to center on whether the manufacturer's claims about the bass lure I am using are fraudulent. I guess that's a way of saying that on August 31, I will officially retire after 38 years with the Federal Reserve, an extraordinary organization faced with extraordinary challenges across the three legs of its mission responsibilities: monetary policy, bank supervision and regulation, and payments services. I have been blessed to have had so many challenging and diverse experiences through the years, including the last two years directing the fascinating work of the Retail Payments Risk Forum. Learning about the risks in our payments system, marveling at the entrepreneurship of those who want to exploit its weaknesses to commit fraudulent activity, and working with the industry to try to find ways to mitigate those risks has been both interesting and exhilarating.
Clearly such work is never done and the constant arms race to stay ahead of the bad guys in a technology-centric payments world is not likely to abate. My hope is that those who read this column continue to support the work of the Forum, its outstanding staff, and its new leader. But even more importantly, my hope is that the industry continues to make progress in collaboratively addressing the needs of our payments system in difficult times when investment dollars are scarce and tough choices must be made. At the risk of waxing philosophic, it is with all this in mind that I leave the following thoughts for others to consider and hopefully run with.
First, as an industry, we need to push our leaders to understand that the paradigms of success today are not those that served us well 10 years ago. The payments system is now a global infrastructure, and purely domestic solutions to managing fraud will not work. Business models for success changed with the advent of the Internet and they will change again with the evolution of mobile technology. A corporation's worst nightmare may be riding a train in Eastern Europe while simultaneously cleaning out a bank account in the United States. This means that it will inevitably be harder to implement solutions, but imminently necessary to extract ourselves from domestic thinking while building partnerships across the globe.
Second, standards are the key to long-term progress in such an environment. Certainty about what standards frees markets to invest in developing solutions to payments problems in a competitive environment that encourages escalating performance. Hence, we must give a lot of attention to doing the work in the basement rooms where standards folks work. While I suppose that revenue opportunities may abound for the entity that owns the standards, companies that are able to depend on standards to deliver risk management systems and products greatly reduce their cost of development and ongoing operations.
Third, it would be useful to clarify the roles of the many government (and sometimes private sector) groups that must engage in the business of protecting our payments system. The Forum and colleagues from the Boston Fed have been engaged in an ongoing effort with mobile payments that has demonstrated to us that nobody wants this clarity more than a frequently confused marketplace. While they long for integrated operations, integrated law, and integrated technology, it is integrated oversight that would help clarify who is responsible for what, encourage collaboration and sharing, and expose gaps in coverage that bad actors can exploit.
Fourth, in recent industry meetings I have heard payments professionals lament that a big part of our problem is that customers—both consumers and businesses—are not well educated in how to protect themselves against fraud. The discussion concerning who should be responsible for providing the education, however, resembles a group of folks juggling a hot potato. My suggestion is that financial institutions (individually or collectively through their trade associations) are the one party that touches both user groups and that stepping up and assuming the leadership role in payments education would not only be a great service but might actually be an endearing customer relationship and retention strategy.
Finally, as an industry we seem to be struggling to establish a vision for the future. On a wall at a recent meeting room, I read a quote by Thomas Carlyle that said, "Our main business is not to see what dimly lies at a distance, but to do what lies clearly at hand." Carlyle (who is credited with calling economics the "dismal science") may have had a point when he wrote this in the mid-19th century, but today the future comes at us so fast, it seems to me that we have to constantly keep our eye on what lies vaguely in the distance and create a vision for the future that embraces the possibilities. Said differently, it may be useful to create a vision for how we will collectively address future risks in the payments system even as we deploy new technology, rather than focusing on how to defeat the threats we already know.
With that, I wish our readership all the best and trust that perhaps our paths may cross again.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
August 29, 2011 in collaboration, crime, payments, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0153911c6dec970b
Listed below are links to blogs that reference Seeing what dimly lies in the distance: Parting thoughts on addressing payments system risk:
Comments
August 22, 2011
Is recent EMV announcement the catalyst the U.S. needs to catch up?
During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?
The merchant community in particular has rightfully expressed concerns over the infrastructure investment costs for card acceptance terminals. While they acknowledge the need to migrate to a more secure payment system that does not rely on outmoded magnetic stripe card technology, they understandably want a future-proof investment strategy.
Visa's recent announcement about its plans to accelerate chip migration and the adoption of mobile payments may just provide the clarity in direction and sufficient incentives to get merchants moving.
Reduced PCI compliance requirements and liability shifts: Carrots and sticks
Visa's plan will require merchants to invest in chip-acceptance terminals as well as bear responsibility for losses resulting from magnetic stripe card fraud if they continue to accept those cards beyond a specific transition period. Right now, the banks that issue the cards bear those costs. So Visa is essentially imposing a counterfeit fraud liability shift as the metaphorical stick to encourage merchants to comply with the plan. Since the United States is currently the last developed country to implement a plan to migrate to chip-based card payments and agree to such a liability shift, this is a significant move.
But Visa's plan also contains some compelling incentives for the merchant community. PCI data security compliance requirements are costly and increasingly ineffective in combating card fraud schemes like card skimming. The Visa plan will eliminate certain PCI compliance requirements for merchants for whom at least 75 percent of their Visa transactions originate from chip-enabled acceptance terminals. Merchants will still have responsibility for protecting customer authentication information such as security codes and PINs. The prospect for improved security coupled with the reduced PCI compliance costs should be a welcome benefit to merchants.
Building a future for mobile payments
By initiating a plan to migrate to both contact and contactless chip technology at the merchant point-of-sale, the Visa plan may actually speed up the adoption of mobile payments. Building out the acceptance infrastructure will be necessary to support contactless payments and other chip-based emerging technologies in the future.
Conclusion
The growing incidence of global card fraud schemes is drawing critical attention to the need to overhaul the U.S. card payment system. Not only are countries in the European Union moving to chip-and-PIN technology to support their card payments, but they've also discussed banning the acceptance of magnetic stripe cards as a possibility. What this means is U.S. travelers will not be able to use their payment cards abroad. As a matter of fact, if you've traveled to Europe lately, you've undoubtedly discovered that some merchants are not equipped to accept our U.S. payment cards now. The move to chip technology for card payments has been coming—but no one knew exactly when or how. Clearly for merchants, the Visa announcement represents a roadmap for the future.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
August 22, 2011 in chip-and-pin, payments, payments risk, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015390e620d5970b
Listed below are links to blogs that reference Is recent EMV announcement the catalyst the U.S. needs to catch up?:
Comments
June 06, 2011
Who does what in fighting payments crimes? Explaining the acronyms and roles of agencies
My grandmother always enjoyed a good laugh. I fondly remember her laughter as we listened to Abbott and Costello's comedy sketch "Who's on First?" multiple times during every visit to her home. I must admit that at times I can feel like Costello when discussing the many different organizations (and their related acronyms) that play a role in regulatory and legal oversight of financial-related crimes. Though not necessarily as funny as Abbott and Costello's sketch, the multitude of organizations and their related acronyms in the United States and the roles they play as they relate to financial-related crimes are enough to make even Costello think that St. Louis's lineup is a breeze to follow. In an effort to allay some of this confusion, let's examine several organizations involved in the fight against financial and payments-related crimes.
Financial Crimes Enforcement Network (FinCEN)
FinCEN was established in 1990 by the U.S. Department of the Treasury. FinCEN is responsible for issuing and administering rules and regulations governing the reporting of currency and foreign transactions as defined in Title II of the Bank Secrecy Act. Title III of the USA Patriot Act gives FinCEN additional responsibilities that include developing rules and regulations related to due diligence and surveillance of suspected terrorists and those engaging in criminal activities.
FinCEN works with law enforcement and regulatory agencies to deter and detect terrorist financing, money laundering, and other financial criminal activity through the sharing of data collected from institutions, as prescribed by the Bank Secrecy Act and the USA Patriot Act. Though FinCEN develops regulations that financial institutions must follow, the agency does not have any oversight powers, so it has to rely on other regulatory/supervisory organizations to ensure that financial institutions comply with their rules and regulations.
Financial institution regulators/supervisors
The Federal Financial Institutions Examination Council (FFIEC) was established to prescribe uniform principles, standards, and report forms for the examination of financial institutions. The organization or agency that regulates a particular financial institution depends on the type of institution. The FFIEC attempts to ensure uniformity in the supervision and regulation of financial institutions, regardless of the supervising agency.
The Office of the Comptroller of the Currency (OCC) is responsible for supervising national banks. State-chartered banks are under the supervision of a state regulatory agency. If they are members of the Federal Reserve System, they also receive supervisory oversight from the supervision and regulation arm of the Federal Reserve, typically rotating examination cycles with the state regulatory authority where they are chartered. The Federal Reserve is also the regulator for financial holding companies, with supervisory oversight for all organizations and their activities within the holding company.
The Federal Deposit Insurance Corporation (FDIC) participates in regulatory oversight for state-chartered banks that do not join the Federal Reserve System to lessen the burden on state agencies. Most importantly, the FDIC engages in reviews of both state and national banks should their troubled condition present a threat to the deposit insurance fund.
Credit unions are supervised by the National Credit Union Administration (NCUA). Before merging with the OCC, the Office of Thrift Supervision (OTS) supervised the U.S. thrift industry. Under this merger, the OTS will be phased out by July 2011. The Federal Reserve Board will then take over the supervisory role of thrift holding companies, and the OCC will supervise all federal thrifts.
In their supervisory roles, these agencies ensure that financial institutions have Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance programs in place as prescribed by FinCEN and that financial institutions comply with other rules and regulations established by FinCEN and other bodies, such as state and national governments.
Law enforcement organizations
Though the United States Secret Service is best known for protecting the president, it is also responsible for investigating financial crimes that include counterfeiting of cash and U.S. treasury securities, access device fraud, financial institution fraud, identity theft, and computer fraud. The Secret Service often works side-by-side with the Federal Bureau of Investigation (FBI), which investigates Internet fraud, identity theft, and money laundering, among many other crimes types. In investigating and detecting financial crimes, these agencies rely heavily on data from FinCEN obtained from the financial institutions' filings of suspicious activity reports. While both the Secret Service and FBI tend to focus on larger, high-profile crimes, local and state law enforcement agencies also play a critical role in leading the investigation of similar but smaller financial crimes as well as assisting the national organizations on larger crimes.
The role of the Retail Payments Risk Forum
In this web of organizations, guidelines, rules, and regulations, the Retail Payments Risk Forum (the Risk Forum) seeks to facilitate collaboration among participants in the payments industry. The Risk Forum has been successful in filling a critical and neutral role in bringing together members from the Federal Reserve System, bank regulatory agencies, rule-enacting agencies, law enforcement, and the payments industry for dialogue and information sharing. Furthermore, members of the Risk Forum are actively engaged in providing "boots on the ground" surveillance on service developments and emerging risk issues in retail payments systems.
As new payments risks take root and new organizations such as the Consumer Financial Protection Bureau (CFPB) emerge, it is imperative that these parties continue to engage with each other to effectively combat the growing threat of risk and fraud in the U.S. payments system.
This table summarizes the roles of the agencies.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 6, 2011 in payments, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015432d17fd8970c
Listed below are links to blogs that reference Who does what in fighting payments crimes? Explaining the acronyms and roles of agencies:
Although article focuses on loss of direct ACH debit from prepaid cards, these same programs are also eliminating their web billpay offerings -- this is probably an even bigger customer impact as web billpay usage exceeds that of direct debit.