May 06, 2013
Staying One Step Ahead of ATM Attacks
Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.
The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.
As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.
Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.
It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.
These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Staying One Step Ahead of ATM Attacks:
October 01, 2012
Summer Is Gone, but ACH Fraud Remains
As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.
In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.
Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:
- ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
- ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
- RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
- RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
- RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.
In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.
The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Summer Is Gone, but ACH Fraud Remains:
April 16, 2012
Online and mobile banking create many front doors
"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.
An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.
The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.
Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.
Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.
Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.
Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.
Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.
Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.
With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.
By Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Online and mobile banking create many front doors:
January 17, 2012
How risky? The elements of an effective payments risk management program
Financial institutions manage a range of businesses with distinct risk management needs. Banks of all sizes that offer payment services to retail and commercial clients must appropriately identify and manage the myriad dimensions of risk entailed. The Retail Payments Risk Forum recently spoke with Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. The conversation, captured in a podcast and highlighted in this post, covered the elements of a successful payments risk management program. Formerly a banker, DaSilva is able to take the perspective both of the supervisor and of the supervised institution when it comes to understanding the challenges of managing retail payments risk.
He said that in financial institutions today, "payments risk management is sometimes informal or decentralized." Without a comprehensive risk assessment, said DaSilva, these institutions have a heightened vulnerability to risks they do not understand. As a result, they may incur losses, lawsuits, or even regulatory formal actions.
Often, the scope and rigor of the bank's risk management program is not commensurate with the bank's risk profile. He added that the loose oversight combines with a variety of other factors to undercut a bank's risk management capabilities. A major driver in adding new payment services may be anxiety for fee income in an environment where many sources of payments revenue have been pressured.
Other factors include incomplete due diligence or inadequate "know-your-customer" (KYC) programs, or the institution may have insufficient payment expertise, senior leadership involvement, or employee and management training. DaSilva has seen institutions that do not perform adequate risk assessments or due diligence when deploying new payment products or services, for example, or when engaging in third-party service-provider relationships.
Implementing a strong risk management program
DaSilva explained that there are multiple types of risk in the payments business that institutions must consider. These types include "credit risk, compliance risk, transaction risk, fraud risk, and legal and reputational risk." Responding to all these requires establishing a risk management program with the following elements:
- Planning. Having clear, defined objectives, a well-developed business strategy, clear risk payments parameters, and a role within the financial institution's strategic plan.
- Risk identification and assessment. Senior management knowledge and understanding of their institution's risks is critical. The risk assessment should be incorporated into the bank's overall risk management process, which will vary by institution.
- Mitigation. Establish policies and procedures to mitigate identified risks. These policies should consist of clearly defined responsibilities and strong internal controls over transactions. Mitigation is also achieved through a good risk-based audit program, and well-designed contracts and agreements.
- Measurement and monitoring. Periodic reporting should enable the board and senior management to determine that payments activities remain within the bank's established risk parameters.
The role of bank leadership in risk management
DaSilva repeatedly emphasized that it is critical for bank board and senior management to be actively involved with and knowledgeable about their institution's payments risk management. For an institution to be able to gauge senior management knowledge, he suggested it begin by exploring whether management "understands the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks, [as well as] their reputational [and] legal risk."
DaSilva encouraged leveraging subject matter experts and ensuring that the retail payments strategy matches the bank's overall strategy and competencies. The best policy may be to limit product offerings to those for which management and employees have a full understanding of the accompanying risks. Despite the pressure to develop new sources of revenue, financial institutions should carefully evaluate the risks of any new payment product before adding it to their portfolio.
To end on a positive note, DaSilva has seen some institutions improving in all the right areas. They are assessing and mitigating risk across multiple payment channels, products, and delivery systems, including ACH, remote deposit capture, card products, and wire transfer. And for icing on the risk management cake, some do annual reviews of client accounts that include exposure from all payment, deposit, and loan products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference How risky? The elements of an effective payments risk management program:
October 11, 2011
High-impact events in a warming world: Business continuity planning for retail payments
Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.
Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.
Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:
The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.
The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.
In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference High-impact events in a warming world: Business continuity planning for retail payments:
August 15, 2011
Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud
It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.
Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.
Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.
Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.
Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.
Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.
Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.
Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:
January 10, 2011
Nonbanks and payments innovation: Because that's where the money is
In the past decade, nonbank companies have driven most payments innovations. For the most part, banks have left Silicon Valley startups and other third-party players to develop cool new payments gadgets and platforms that attract venture capital and YouTube views. While this dynamic and free market has allowed for great creativity, it has also meant that many of these new payments tools emerged outside the extensive system of regulations and consumer protections that exist in the banking industry.
This blog previously covered the lack of uniform regulation of the money services business (MSBs), a significant gap given the expansion of financial services offered by MSBs like Western Union and MoneyGram in recent years. While providing a vital service for money transfer, MSBs may be vulnerable to money laundering and fraud schemes, as they lack the robust regulatory oversight that governs mainstream financial institutions. Through a series of industry partnerships, MSBs and other less-regulated nonbank payment companies are integrating with bank operations. For example, CashEdge, a relatively new alternative payment service provider, and MoneyGram recently announced one such partnership that could have implications for anti-fraud efforts.
Last year, MoneyGram paid $18 million in a Federal Trade Commission (FTC) settlement that charged the company had known about fraud on their system but did not work to address it, disregarding law enforcement warnings and willfully ignoring customer fraud complaints against agents. Consumers reported $84 million in losses between 2004 and 2008, but it is likely that many victims did not come forward, and the FTC claims that losses may actually have run into the hundreds of millions of dollars. Since the settlement, MoneyGram has invested heavily in anti-fraud measures, including enhanced agent training, improved communication with consumers, and greater partnership with law enforcement and the FTC. In response to questions from the Connecticut Watchdog, MoneyGram explained that these efforts have prevented $30 million in fraud this year and resulted in a 75 percent decrease in fraudulent transactions between the United States and Canada.
However, con artists continue to exploit Americans, evidenced by the recent Make-A-Wish scam. This scam has already defrauded victims of $20 million, with the thieves again using Western Union and MoneyGram to receive payments. Although these companies provide a valuable service to those sending money abroad to family and others, they are still vulnerable to threats from bad actors.
In light of this vulnerability, MoneyGram's announcement this past fall of a partnership with CashEdge to integrate with their POPmoney service bears scrutiny. POPmoney is a bank-initiated peer-to-peer payments service that went live late in 2009 and allows users to send friends and family money through text, e-mail, or online banking. The product has been very popular, with more than 100 banks adopting the service within six months of launch. The new partnership means that POPmoney users will be able to transfer money not just to other bank accounts, but also to any MoneyGram location around the world. These POPmoney-to-MoneyGram transactions will likely be fast and irreversible, using CashEdge’s convenience and MoneyGram's global presence. Furthermore, users will initiate all transactions via online or mobile banking, funding them directly from their primary bank account. Although MoneyGram launched enhanced anti-fraud technology last year for scanning risky transactions, these online transfers would bypass live agents whose training is one line of defense against fraud.
Although there may be considerable risks in integrating MSBs directly to a financial institution's online banking services, doing so could also be an opportunity to fight fraud in these channels. If banks' extensive experience in fraud detection and mitigation were applied to the money transfer business, it could significantly improve consumer safety and experience. If there are lessons to be learned here, they could be applied to a variety of similar partnerships across the industry, improving banks' access to innovation and enhancing the risk management capabilities of new payments products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Nonbanks and payments innovation: Because that's where the money is:
January 03, 2011
Demand deposit accounts: Balancing convenience and risk
Today's demand deposit accounts (DDA) have multiple access points–online, mobile, and ATM–affording consumers a great deal of convenience. At the same time, though, they provide that many more ways for criminals to carry out fraud schemes, as hacking tools (PIN phishing and skimming) become more sophisticated and fraudsters more bold with their attempts to fleece DDAs. According to a white paper by Fiserv, banks are becoming increasingly concerned about DDA fraud. The paper mentions a survey by McKinsey & Co., which revealed that an estimated $5 billion to $7 billion in annual losses can be attributed to DDA fraud, a figure expected to grow at a annual rate of 7 percent.
DDA fraud can take many forms. When it occurs with debit cards, a fraudster can steal or skim the physical card, or use a phishing scheme to steal a PIN, then use that information to deplete the account. When fraud occurs with checks, a perpetrator can empty the DDA by forging check endorsements or drawer signatures, counterfeiting or altering checks, or carrying out check kiting schemes. According to the Fiserv paper, there is also cross-channel fraud, which occurs with accounts that have more than one access point. This type of DDA fraud is increasing most likely because of the introduction of new channels like mobile and account-to-account transfers.
Declining check use but rising check fraud
Interestingly, even as check use declines, losses from check fraud and attempts at such fraud rise. The decline in check usage was recently captured by the Federal Reserve's 2010 Payments Study, which showed that "in 2009 more than 75 percent of all U.S. noncash payments were made electronically, a 9.3 percent annual increase since the Federal Reserve’s last study in 2007."
According to a recent speech by an official from the Financial Crimes Enforcement Network (FinCEN), reports of scams involving checks increased 19 percent in the first six months of 2009, and 27 percent of all Suspicious Activity Reports (SAR) filed in 2009 were for fraud-related activities. Check fraud was one of only two categories—the other was money laundering—that had an increase in SARs between 1996 and 2009.
Another study that touched on the prevalence of check fraud is the 2009 Deposit Account Fraud Survey Report of the American Bankers Association, which estimated that check-related losses amounted to $1.024 billion in 2008, up from $969 million in 2006. Of the banks surveyed, 80 percent indicated that they had reported check fraud losses in 2008, the same percentage as in 2006.
Rising debit card use, rising fraud
Debit card fraud is usually carried out through point-of-sale signature, PIN, and ATM transactions. As debit card usage escalates, so does debit card fraud.
According to the Fed's 2010 Payments Study, debit card usage exceeds all other forms of noncash payments. In fact, the annual use of debit cards increased by over 12.8 billion payments, the largest increase by any payment type during the survey period, reaching 37.9 billion payments in 2009.
According to the ABA survey, commercial losses from debit card fraud reached an estimated $788 million in 2008. Approximately 92 percent of survey participants reported experiencing debit card fraud, not surprising given the prevalence of debit cards.
Addressing DDA fraud
With consumers more and more often using debit cards and other noncash payments at the point of sale, and with the continued growth of more sophisticated hacking schemes, early detection and mitigation are more critical than ever to resolving payments fraud. The management of DDA fraud risk will have to change in response to the creation of new access points to demand deposit accounts.
Notwithstanding the technological advances in software that help financial institutions prevent and detect DDA fraud, the self-vigilance of consumers can add significant value. As we move further away from paper-form and more towards all-electronic-forms of payments, ultimately, detecting and deterring demand deposit account fraud will continue to be a combined effort between the consumer and its financial institution.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Demand deposit accounts: Balancing convenience and risk:
December 06, 2010
Tough decisions: Fighting fraud in a free market
Over the past two years, despite a stagnant economy, the U.S. payments system has harvested the benefits of a free market: the generation of hundreds of innovative ideas. Mobile payment pilots, P2P offerings, remote banking services, small merchant credit card approval tools, and at-home remote deposit capture services for checks are only a sampling of the new ideas, many of which came from nonbank participants. Inevitably, this type of innovation and competition will result in more choices at more reasonable prices for American consumers and businesses.
This extraordinary explosion of payments system creativity stems not only from the benefits of free market capitalism, but also from the historical fact that our payments system enjoys substantially less oversight than other advanced economies. While we have a considerable array of consumer protection regulations in place in the United States, we do not have any specific government body charged with determining and enforcing overall payments policies and practices. Unlike much of Asia, Europe, the Far East, and Australia, there are no competition authorities, payments councils, commissions, or boards that set policy across payments channels. The Federal Reserve does not play as strong a role in governing payments as do the European Central Bank, the Bank of Japan, or the Reserve Bank of Australia. Congress has passed no comprehensive payments law such as the Payments Services Directive in Europe or the Payments Services Act in Japan. Predictably, then, we see the type of lively and innovative payments market in place in the United States today.
The downside of freedom
But, in the words of that great college football guru, Lee Corso, "Not so fast, my friends!" With the freedom to innovate also comes the freedom to do bad things. Said differently, there exists an inconsistent appreciation or concern for the necessary integrity of payments products and services. Entrepreneurs are not given the responsibility to ensure that their ideas can pass muster in the public policy arena. Their first concern is the marketability of their glitzy new product, not its protection against intrusion or susceptibility to fraud. While we can argue that banks by their very nature are more steeped in the tradition of focusing on integrity and security as key elements in payments services, the same is probably not as true for the large number of new nonbank players entering the payments world. Certainly, some such companies, particularly those run by experienced financial services professionals do get the message, but many do not. We can assume that as less secure products and services are deployed, bad things will happen and lessons will be learned that bring about a reformation. In the meantime, many consumers and businesses may be seriously impaired.
The likely result of such experiences, however, may be the further engagement of Congress—and, ultimately, government—to devise remedies for the failings of a highly innovative payments system. Over time, we have seen some of this in the form of targeted legislation intended to fix problems or reign in abuses. Payments-related controls are embedded in the Expedited Funds Availability Act (EFAA), the Patriot Act, the CARD (Credit Card Accountability Responsibility and Disclosure) Act, and the recent Financial Reform Act. But none of the past legislative efforts have been comprehensive. The EFAA focused on checks, the Patriot Act on cross-border payments, the CARD Act on credit cards, and the Durbin Amendment to the Financial Reform Act on debit cards. The specific rules and controls for operating our various payments systems are resident in the requirements of the card companies, the NACHA rules for ACH, and Fed and ECCHO (Electronic Check Clearing House Organization) rules for check image exchange. In essence, the integrity of our payments system relies as much on vigorous self-policing as it does on law making. In fact, one could argue that law making is the predictable successor to bad self-policing.
The challenge to self-police
So the challenge for the payments industry, in an era of explosive technological development and worldwide connectivity, is to become much more focused on the issues associated with protecting the integrity of the payments system. Such attention needs to encompass a wide range of concerns, including data privacy, fraud mitigation, and financial stability. We cannot continue to build solutions that allow customer accounts to be taken over, identities to be stolen, and terrorist financing and money laundering to prosper. If we do, than we can be certain that Congress will move to clamp down, either on a piecemeal basis or more comprehensively, following models in place elsewhere. Ultimately, it is up to the industry as a whole, through its individual parts and representative groups, to get serious about its deficiencies within and across silos. In difficult financial times, it is hard to contemplate spending more on protecting the payments system when so many other priorities call. But our ability to preserve the potential benefits of widespread innovation may depend on it. If we fail to spend on remedies now, we will inevitably spend on them later and probably with less efficiency in reaction to legislation and regulation.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Tough decisions: Fighting fraud in a free market:
November 15, 2010
Retail Payments Risk Forum publishes white paper on mobile payments
Everyone has a cell phone these days, and that ubiquity is paving the way for wide acceptance of mobile money person-to-person transfer services, also known as MMT. Emerging countries, where the mobile channel provides a safe, efficient environment for conducting financial transactions and improving financial inclusion, have been especially quick to adopt MMT. In contrast, mobile payment adoption in the United States has been slow, but many experts believe that, with more people acquiring smart phones and having access to all the applications that go with them, MMT is on the brink of becoming widely accepted.
As roaming agreements between wireless carriers and the globalization of commerce in general work together to render our world's geographic borders irrelevant, how quickly can we expect these services to migrate to the United States? More importantly, as various forms of electronic payment crimes emerge, what should the industry do to prepare for new mobile services in a cross-border environment?
To answer these questions, the Retail Payments Risk Forum recently published a white paper titled "Mobile money transfer services: The next phase in the evolution in person-to-person payments," which describes the current landscape for these services and examines the risk environment for mobile money for both developed and emerging countries as new business partnerships between bank and telecom firms take shape.
MMT has the potential to catalyze the mobile financial services market
Infrastructure developments to support MMTs could support the evolution of other financial services. According to the GSM Association, this infrastructure provides the basis for the concept of the mobile wallet, which will allow mobile phones users to conduct banking, proximity payments using the phone at a merchant's point-of-sale terminal, and remote mobile payments, including domestic and cross-border mobile transfers.
The mobile money risk environment
The risks inherent in all retail payments are also present in the mobile space, including money laundering, privacy and security, consumer protection, fraud, and credit and liquidity. As mobile financial services evolve, there will be a number of issues to consider for managing the new risks mobile phone-based payments stand to introduce. The emergence of more nonbank participants in the distribution of mobile payments, including telecom firms and their agents along with technology vendors, may create additional risk considerations for payment regulators. Since mobile technology-enabled payments do not require the face-to-face interaction that takes place with traditional banking, the resulting opaque, anonymous experience can also create more opportunity for criminal activity. This will be increasingly important in a future where mobile retail payments will occur rapidly and across geographic borders, potentially outside the purview of traditional regulatory oversight. Payments regulators have limited expertise and experience in identifying electronic payments crime in communication systems—so the potential for abuse is a real and imminent threat that is still abstract and not well understood in this early stage of the game.
Policy considerations for industry stakeholders, policymakers, and regulators
The integrity and safety of the world's retail payment systems rely on cooperative information sharing about service developments and potential gaps in regulation. A number of considerations should remain at the forefront of industry discussions.
- The new mobile landscape will require dialogue between the regulatory authorities for financial services and telecom firms. Financial and telecom sector regulators will need a comprehensive understanding of the emerging risks in mobile payments with a collective eye toward the potential need to establish new regulatory concepts of electronic money regulation. This may demand a program for routine communication to ensure that regulators understand payment system risk issues and provide effective risk-based supervision for payment services providers.
- An oversight infrastructure for mobile payments, including the financial services of telecom firms, should be established. This oversight might be established through a routinely convening workgroup representing applicable regulators or the creation of a new organization with expertise in the unique and dynamic risk issues in mobile services.
- Cross-border mobile payments may require improved customer-data sharing on an international basis. The anticipated growth in mobile remittances may demand a new environment of international cooperation and sharing of customer data and analysis.
- U.S. mobile payments services providers should be required to establish programs to mitigate the risk of money laundering. Mobile services will require new methods for detecting and monitoring data flows. All service providers, including telecoms, will need to establish risk management programs commensurate with the risk in their service offerings.
- Converged regulatory authorities should examiner consumer protection risks for potential gaps in regulatory oversight. In the United States, it may be necessary to reexamine the applicability of Regulation E protections to stored-value payments as they become more prevalent in the mobile channel, in order to prevent consumer confusion in error resolution scenarios.
The experts are right in saying that mobile adoption still low. But the rapid pace of change means that industry stakeholders, and especially regulators, need to be forward-looking and anticipate where the winds of change will blow. A rearview mirror approach to addressing emerging risks in mobile payments can be modified with proactive thinking, dialogue, and global collaboration.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Retail Payments Risk Forum publishes white paper on mobile payments: