Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

March 30, 2020

Do We Use a Payments Risk Thermostat?

I read a blog post last week that is eerily evocative of the individual actions we take—or don't take—to protect our personal and payments information. You can read it here: Handwashing Can Stop a Virus—So Why Don't We Do it?Off-site link

The blogger identifies some reasons we don't wash our hands as much—or as thoroughly—as we should, including lack of awareness and inconvenience.

  • We are not aware that hand washing is so effective.
  • We balk at the least inconvenience or practical barriers—for example, having to take a few extra steps to get to the soap and water.

Sounds a lot like the reasons people may cut corners on payments security. For example, people may not be aware of the efficacy of credit freezes, or they might find imposing them to be inconvenient. People may not be aware that it is not optimal to use the same password for multiple accounts, or they may consider it to be inconvenient to set up different passwords.

I think this paper positing a "risk thermostatOff-site link" applies not only to handwashing but also to payments security. We use our risk thermostats to make tradeoffs, so taking one kind of preventive measure could increase our willingness to accept more risk in another way. The author writes: "individual risk taking decisions represent a balancing act in which perceptions of risk are weighed against propensity to take risk."

So, for example, maybe you start wearing gloves and stop washing your hands so carefully. (Don't do that, please.) Or maybe you put a credit freeze on your accounts at the major credit bureaus and stop watching your bank and card statements so carefully. (Don't do that, either.)

As these writers on behavioral science note, awareness is the first step. So be aware of payments and other financial risks facing your business and your customers during the coronavirus outbreak. Here are some resources you can use to educate your colleagues and customers:

  • U.S. Secret Service Adobe PDF file formatOff-site link: Watch out for phishing scams posing as medical or health providers, charity scams on social media.
  • Federal Trade Commission (FTC)Off-site link: Ignore emails claiming to be from the CDC; ignore online offers for vaccinations.
  • U.S. Securities and Exchange CommissionOff-site link Beware internet and social media promotions claiming that products or services "prevent, detect, or cure coronavirus" and that the stock of providing companies will increase in value.

As of March 16, the FTC and the Food and Drug Administration already have issued warning letters to seven sellers of unapproved and misbranded products.

Best wishes and good health to you and your families. Now, go wash your hands. And check your bank account when you're done.

March 23, 2020

Fast Cars and Fast Payments

My son and I recently attended the Daytona 500. As an 11-year-old, he is fascinated with fast cars and speeds that routinely exceed 200 mph. The cars were certainly fast at Daytona International Motor Speedway this year. While he is blown away by the speed of the cars, I remain amazed at the overall safety record of these cars. There were numerous wrecks at this year’s race, but only one driver was seriously injured on the last lap in a wreck that was horrifying to witness. The speed of the cars definitely makes for an exciting event, but at the end of the day, safety is vital. Nobody wants to see a driver injured, and racing organizations have gone to great lengths to make sure safety is the top priority even if it means compromising the speed of cars. Could safety be as important as speed in payments, too?

Having been involved in the payments industry for the past 13 years, faster and safer have always been two (of several) buzz words associated with payments. But faster, being much cooler to discuss, seems to be the focus all too often. (Don’t talk to my son about the safety of cars—he wants to talk speed!) I joke with my colleague about surveys we often come across claiming that an extremely high percentage of people want faster payments. As a standalone question—yes, I can absolutely see that. Faster is better than the status quo or slower, right?

But we rarely get a glimpse into how important faster payments really are and if people actually want them. Are they just giving an obvious answer to a leading question? How would people respond to a question about faster payments when the question includes other attributes such as safety?

In a recent surveyOff-site link, approximately 1,000 respondents from the United States between the ages of 16 and 75 were asked to choose the most critical characteristics of a payment instrument: safety from fraud and theft, privacy protection, ease of use, wide acceptance, and speed. Only 12 percent of them chose speed as one of the top two. Interestingly, respondents chose safety (62 percent) and privacy (37 percent) as the most important characteristics.

Coming home from Daytona, my son and I talked about the race and just how amazing it was to watch in person. I asked him if he would like to see the cars go faster in light of some of the awful crashes that we saw. In his 11-year-old wisdom, he said the cars are probably fast enough because he didn’t like watching that final wreck. While I could debate whether or not payments are fast enough, much like the cars racing in the Daytona 500, safety remains paramount for payment instruments and must remain at the forefront of any discussion on payments.

March 16, 2020

Are Emerging Payments More Vulnerable to Fraud?

Whenever I am in a conversation about new or emerging payment products or services, I invariably get asked whether I think they will attract heightened attention from criminals. My personal opinion is, "YES, at least initially!" Why do I have that opinion? The conventional wisdom is that criminals recognize that new payment systems are likely to have some security gaps in the beginning that can be exploited. There are a number of examples I can cite to support this position.

Consider the payment card enrollment process that accompanied the introduction of the Apple Pay wallet in late 2014. Whether it was a rush to get cardholders enrolled or because of loopholes in the Identification and Verification (ID&V) process, a number of the banks offering the service fell victim to fraud early on. Criminals enrolled a number of stolen credit and debit cards in the service and then were able to make high-dollar purchases because of weak verification controls. Some industry observers cited initial fraud losses in the 600Off-site link-to-800Off-site link-basis-point range at some of the early issuers. This rate compares to an overall in-person, payment card fraud rate of 12.2 basis points in 2015 cited in the Federal Reserve's Payments Study supplement Changes in U.S. Payments Fraud from 2012 to 2016. Fortunately, the affected banks reacted quickly and shored up their payment card enrollment processes.

Also consider the implementation of faster payments in the United Kingdom in 2008. As did other countries implementing faster payments, the United Kingdom tried to limit fraud by taking a measured approach. In the beginning, only credit push transactions with a maximum value of £10,000 (approximately $15,000) were eligible. (Most of the initial participating banks had lower limits.) In 2010, the maximum amount was raised to £100,000. Now the maximum limit is £250,000, although financial institutions may still set lower limits and differentiate between consumer and commercial account payments. My colleague Julius Weyman highlighted some of the fraud risks in faster payments in his 2016 working paper reviewing overall risks in faster payments schemes around the globe. He pointed to the 132 percent increase in online banking fraud the United Kingdom experienced in the year following implementation.

There is growing concern among consumers in the United States and the United Kingdom about the liability for authorized push payments—such as P2P payments—because of their near-real-time nature and their finality. In a future post, I'll examine this issue with authorized push payments and look at how the United Kingdom is dealing with it.

So circling back to my initial question, do you believe that the fraud rates for new and emerging payment products are likely to be higher than the more established payment products? Let us know what you think.

March 9, 2020

The Cash Battle Escalates

On the first day of a conference I recently attended, I participated in a town hall panel on the "right to choose cash." And on the last day, I presented key findings on cash usage from the Federal Reserve's Diary of Consumer Payment Choice (DCPC).

Between these bookend sessions, there were numerous remarks and discussions in other sessions and during networking breaks about how consumers' use of cash is changing. I heard the phrase "war on cash" quite a bit, although I think "battles against cash" is more accurate. Not surprisingly, the conference was the ATM Industry Association's annual conference.

For an industry whose primary product is currency, we can understand the importance of this topic to the ATM owner and operators.

There is no question that technology has permitted businesses that previously were cash-only to now either exclude cash or allow payment cards. Vending machines, mass transit fares, and parking meters—which all used to be cash-only—are prime examples of this transition. Since we have no federal law requiring businesses to accept cash, a few scattered private business owners have refused to take it. They cite the costs of handling cash and the security risks of robbery and employee theft as major disadvantages. Of course, every payment method has its advantages and disadvantages. On the positive side, cash payments are immediate and final, and are highly convenient, especially in natural disasters when electrical and connectivity infrastructure is disrupted.

Cash acceptance also has societal implications. The DCPC results show that unbanked households used cash for almost 62 percent of their payments, compared to 27 percent for underbanked households and 20 percent for fully banked households. (Unbanked households don't have checking or savings accounts, while underbanked households have accounts but also get financial products and services outside of the banking system.)

Additionally, lower income correlates to higher cash usage, as the chart shows.

Chart 01 of 01: Payment Shares by Income, October 2018

It is largely because cash-exlcusion practices can harm the un- and underbanked and low-income households that politicians have introduced or enacted legislative action to ban businesses from refusing to accept cash. Massachusetts has had such a ban since 1978 and was recently joined by New Jersey as well as the cities of San Francisco, Philadelphia, Washington, DC, and New York City. The states of Oregon, Wisconsin, New Hampshire, and Vermont have seen similar bills introduced. At the federal level, H.R. 2650, the Payment Choice Act, has received bipartisan sponsorship (28 Democrats and 8 Republicans) and now sits in the House Financial Services Committee.

Federal Reserve Bank of Atlanta president Raphael Bostic in recent remarks noted that some of the new ways business owners are conducting business are biased in that they lock out those who still use cash. He suggested that perhaps the definition of financial inclusion needs to be expanded to include the notion that every person should be able to use anywhere the payment channels they rely on for their transactions.

Take On Payments will continue to follow these cash battles.