Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 29, 2020
How Do You Love Me? Let Me Count the $$$$
The COVID-19 pandemic has affected everyone's life in some way. Sadly, criminals prey on the chaos created by such situations. We posted back in 2014 about a variety of advance fee scams where victims are duped into sending funds to the criminal, and more recently mentioned these scams in a post about elder financial exploitation. The latest figures from the Federal Trade Commission show that approximately 25,000 consumers reported losses of $201 million in 2019—nearly 40 percent more than in 2018—from romance scams. And this figure is only for reported losses. While the elderly are often a target, victims are adults of all ages and genders. With the social isolation created by the pandemic, romance scams appear to be increasing at a faster pace.
A romance scam often starts with the criminal placing a false profile on an internet dating site. In some cases, the website is completely fraudulent with a large base of false identities, and it collects payment card information for subsequent fraudulent transactions in addition to operating the advance payment scam. After some message exchanges on the dating site, the scammer will encourage the victim to use a private communication channel such as email or text messaging. In the past, the criminal would usually avoid video chats to reveal their true identity. Today, however, these criminal efforts have become increasingly sophisticated. They often have the same person whose photograph they used on the site do these video chats. The criminal will often claim to live or work in a foreign country or at considerable distance from the victim to discourage the victim from visiting. The scammer will often research social media sites to gain more information about the victim's hobbies and interests to help convince the victim that they are "true soulmates."
The criminal tries to deepen the relationship with frequent claims of affection and may even send small-value gifts to the victim to build trust. Once the criminal believes they have the victim "hooked," the financial requests begin. Often it will be a request to send money to pay for medical services for a close relative, or to help the scammer get through some financial hardship. The criminal may also request nonfinancial items, including intimate photographs or videos to be used for extortion later. There may be a request for money or payment card information for the scammer to purchase an airline ticket to come visit the victim, a trip that never happens due to a sudden illness or other excuse.
Education is the key to the prevention or early detection of such a scam. The FTC recommends the following:
- Never send money in any form to someone you haven't actually met. If someone you've met online asks you for money, report it to the Federal Trade Commission (FTC) at ftc.gov/complaint.
- Perform a reverse image search of the person's profile picture to see if it matches with another person's name or if there are other discrepancies. (Some apps provide this service, as does at least one search engine.)
- If you discover that you are, in fact, being scammed, stop communicating with the person immediately, but save the messages.
- If the initial contact was through a dating website, notify the site of the scam.
The Federal Reserve joins with the FBI, FTC, and consumer organizations in helping to educate the public against these criminal activities. Please use any channels you have to spread this educational effort and clean up this slimy activity.
Now go wash up.
June 22, 2020
United Kingdom Extends Consumer Protection
A key element of a faster payments system is the finality of payment. Once the payer sends the payment (called an authorized push payment, or APP), it's pretty much gone for good. This finality provides a number of valuable benefits to both sender and receiver. But what if the sender has been deceived into authorizing a payment or simply makes an error in the payment destination instructions? In a March 2020 post, I discussed the growing concern in the United Kingdom about consumer liability for APPs. That concern resulted in regulatory action offering potential liability relief to consumers deceived into making such payments.
In an APP scam, a payer is tricked into transferring funds to a fraudster through an electronic payment. We have written in previous posts (including this one) about these advance fee scams; they involve people getting a call notifying them that they've won a lottery or owe delinquent tax payments, or they are asked by someone they've met through a dating site or service to send money. In the United States, once consumers have authorized such transactions, they are generally not protected from these losses by existing consumer protection regulations.
However, in the United Kingdom, the incidence rate for these APP scams reached such a level in 2017 that banking authorities took action. The financial services trade association UK Finance began collecting APP scam-fraud data and in January 2018 produced a best practices standards document to improve the identification and reporting of APP scams. The trade association noted that for 2019, losses from APP scams were £456 million (approximately US$581 million), compared to £354.3 million (approximately US$468.7 million) in 2018.
Also in 2018, the Financial Conduct Authority (FCA)—the United Kingdom's financial services regulator—began a series of regulatory changes intended to provide consumers with additional rights in APP disputes. Initially, APP fraud claims were directed to the consumer's financial institution, a payment service provider (PSP). The FCA concluded that the PSP receiving the funds was in a better position to investigate the situation and changed its guidelines to mandate including the receiving PSP in the investigation process.
The biggest shift occurred in May 2019, when the FCA launched a voluntary code regarding APP scams. The code, according to the industry group UK Finance, says that "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Under the code, a PSP is deemed to be at fault if it has not developed prevention (customer education) and detection programs. Although the code is labeled "voluntary," all the major U.K banks have been required to adopt it. There continue to be efforts in the British Parliament to mandate that all financial institutions, regardless of asset size, adopt the code.
In 2019, there were a reported 122,437 cases of APP fraud reported in the United Kingdom. These cases, which totaled £101 million in losses, were reviewed under the provisions of the code. Of that total, £41.3 million, or 41 percent, was reimbursed to the consumer. My reading of the code makes it seem very subjective; it appears that if the victim didn't believe it was a scam at the time they initiated the payment, they should be reimbursed. The FCA documents concede that there isn't a specific checklist to make such a determination but that each case should be decided on an individual basis—a compliance official's worst nightmare.
In an effort to preempt an unauthorized APP from taking place, the United Kingdom's retail payment operator (Pay.UK) introduced its Confirmation of Payee service in 2019. This service checks whether or not the payee name attached to the APP is the same name on the account receiving the payment. Originally mandated to be operational by July 2019, the deadline for adoption by the six major banks was extended to March 31, 2020. Then, because of the COVID-19 pandemic impact, the deadline was again extended, this time to June 30, 2020, although some of the big banks have already implemented the service.
As APPs gain popularity in the United States with faster payments and P2P services, what is the likelihood that similar protections will be extended to consumers here? Let us know what you think.
June 15, 2020
A Cloudy Day Is No Match for a Sunny Disposition
Heading into 2020, investments in companies providing cloud computing services were on fire. Various research firms (here and here) estimate that worldwide spending on public cloud services is growing at a compound annual growth rate that falls between 15 percent and more than 22 percent. As cloud computing matures, many financial institutions are considering the benefits that it can provide. In an October 2019 report on a worldwide survey of bankers, a vendor reported that just over half of all bankers surveyed indicated that they currently have or plan to have a cloud adoption strategy in place within the next two years. Keep in mind that this survey was administered before COVID-19 changed, at least temporarily, the business environment.
Because so much work, banking, and commerce occurs remotely, demand for cloud computing has risen. Although cloud computing can offer advantages, financial institutions need to assess and monitor the risks just as they do with other third-party providers. This may be why the Federal Financial Institutions Examination Council (FFIEC) thought the timing was right to release a statement in late April on Security in a Cloud Computing Environment .
A key takeaway from the FFIEC statement is that even though cloud providers have controls in place, or offer controls, to create a secure environment, the "buck" ultimately stops with the financial institution. It remains the financial institution's responsibility to ensure that proper security protocols are in place based on the service level agreement with its cloud providers. As with other third-party relationships, financial institutions are responsible for ongoing oversight and monitoring of their cloud providers. It may be necessary for a financial institution to implement security protocols above and beyond what cloud providers offer.
Cloud computing can make our lives easier, as evidenced by those who have been able to work remotely during the past few months. But we must also recognize the risks it poses and mitigate those as much as possible. Although the FFIEC statement doesn't contain any new regulatory expectations, it does provide excellent guidance along with a multitude of resources and references for financial institutions seeking information on cloud computing risk management. By employing effective risk management practices, financial institutions can minimize the risks of the cloud becoming a storm cloud and keep the sun shining brightly on a secure environment!
June 8, 2020
Are Contactless Cards Having Their Moment?
This could be the moment Doug King has been waiting for. In February 2017, Doug blogged, "Wouldn't it be nice to tap and pay?" Back then, he reported his disappointment at not being able to use his "cool" card with contactless functionality. Today, my favorite consumer advice website is calling contactless payments "the wave of the future." And according to Visa, 31 million Americans tapped a Visa contactless card or digital wallet at the point of sale in March 2020, up from 25 million in November 2019. MasterCard projects that approximately 70 percent of its U.S. customers will have contactless cards by the end of 2022.
Dave Lott wrote last year that the speed of contactless card payments could make them as desirable—if not more desirable—than mobile payments. As Dave pointed out, "consumer payments is largely a total sum environment," so the rise of contactless could cannibalize other forms of payments like mobile. Continuing this line of thinking, I have been wondering if any rise in contactless card use could have an impact on the use of cash.
"Protect yourself while shopping," advises the Centers for Disease Control. "If possible, use touchless payment (pay without touching money, a card, or a keypad)."
Until a few months ago, the answer was clear: probably not much of an impact. Let's take a look at consumer behavior and survey responses in the pre-coronavirus environment.
- First, an April 2020 paper examined the behavior of 21,000 Swiss cardholders between 2016 and 2018. In the aftermath of receiving a contactless debit card, the Swiss cardholders increased their use of debit cards overall, especially for small-value payments. But the increase among the Swiss consumers was small. Most of the increase occurred among people who already were using their debit cards to pay. And Swiss account holders who used cash a lot—the researchers call them "cash lovers"—didn't change behavior. The researchers report that the average effect of receiving a contactless card was "underwhelming."
- Second, in response to a hypothetical question in fall 2019 , U.S. consumers reported they would likely in the future use contactless cards to pay at grocery stores, gas stations, and department stores—payees with a high proportion of card payments already. In other words, consumers would not change their choice of payment instrument; rather, they would change their choice of authorization method (tapping instead of dipping a card). Again, underwhelming when we think about any potential impact on cash.
But that was then. In spring 2020, the future is murkier. Do you think consumers' ideas about and use of contactless cards would be different today?
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud