Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

June 22, 2020

United Kingdom Extends Consumer Protection

A key element of a faster payments system is the finality of payment. Once the payer sends the payment (called an authorized push payment, or APP), it's pretty much gone for good. This finality provides a number of valuable benefits to both sender and receiver. But what if the sender has been deceived into authorizing a payment or simply makes an error in the payment destination instructions? In a March 2020 post, I discussed the growing concern in the United Kingdom about consumer liability for APPs. That concern resulted in regulatory action offering potential liability relief to consumers deceived into making such payments.

In an APP scam, a payer is tricked into transferring funds to a fraudster through an electronic payment. We have written in previous posts (including this one) about these advance fee scams; they involve people getting a call notifying them that they've won a lottery or owe delinquent tax payments, or they are asked by someone they've met through a dating site or service to send money. In the United States, once consumers have authorized such transactions, they are generally not protected from these losses by existing consumer protection regulations.

However, in the United Kingdom, the incidence rate for these APP scams reached such a level in 2017 that banking authorities took action. The financial services trade association UK FinanceOff-site link began collecting APP scam-fraud data and in January 2018 produced a best practices standards document to improve the identification and reporting of APP scams. The trade association noted that for 2019, losses from APP scams were £456 million (approximately US$581 million), compared to £354.3 million (approximately US$468.7 million) in 2018.

Also in 2018, the Financial Conduct Authority (FCA)—the United Kingdom's financial services regulator—began a series of regulatory changes intended to provide consumers with additional rights in APP disputes. Initially, APP fraud claims were directed to the consumer's financial institution, a payment service provider (PSP). The FCA concluded that the PSP receiving the funds was in a better position to investigate the situation and changed its guidelines to mandate including the receiving PSP in the investigation process.

The biggest shift occurred in May 2019, when the FCA launched a voluntary codeOff-site link regarding APP scams. The code, according to the industry group UK FinanceOff-site link, says that "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Under the code, a PSP is deemed to be at fault if it has not developed prevention (customer education) and detection programs. Although the code is labeled "voluntary," all the major U.K banks have been required to adopt it. There continue to be efforts in the British Parliament to mandate that all financial institutions, regardless of asset size, adopt the code.

In 2019, there were a reported 122,437 cases of APP fraud reported in the United Kingdom. These cases, which totaled £101 million in losses, were reviewed under the provisions of the code. Of that total, £41.3 million, or 41 percent, was reimbursed to the consumer. My reading of the code makes it seem very subjective; it appears that if the victim didn't believe it was a scam at the time they initiated the payment, they should be reimbursed. The FCA documents concede that there isn't a specific checklist to make such a determination but that each case should be decided on an individual basis—a compliance official's worst nightmare.

In an effort to preempt an unauthorized APP from taking place, the United Kingdom's retail payment operator (Pay.UK) introduced its Confirmation of PayeeOff-site link service in 2019. This service checks whether or not the payee name attached to the APP is the same name on the account receiving the payment. Originally mandated to be operational by July 2019, the deadline for adoption by the six major banks was extended to March 31, 2020. Then, because of the COVID-19 pandemic impact, the deadline was again extended, this time to June 30, 2020, although some of the big banks have already implemented the service.

As APPs gain popularity in the United States with faster payments and P2P services, what is the likelihood that similar protections will be extended to consumers here? Let us know what you think.

August 2, 2010

Fight against payments fraud: The target is moving, but not everybody takes aim

Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.

Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.


Changes in Types of Suspicious Activity, 2008-09
ENLARGE

This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.


FinCEN Suspicious activity report filings by depository institutions
ENLARGE

Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.


Prevalence of Payments Fraud in 2009
ENLARGE

Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.

Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.


Reasons for Not Using Positive Pay, Debit Blocks or UPIC
ENLARGE

Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

December 28, 2009

Mobile money transfers: Benign P2P or hawala money?

Informal value transfer systems (IVTS) such as traditional trade and barter have existed since the beginning of time and still serve legitimate purposes today. While informal payments may provide benefits such as improved reliability and convenience to users over formal systems, they may also create regulatory and risk management challenges. Person-to-person (P2P) payments via the mobile phone, also known as mobile money transfers (MMT), represent an innovation with the potential for use in informal channels as nonbanks, many of which are start-up firms, extend services in a cross-border enviroment.

IVTS were defined by Nikos Passas to describe "any network or mechanism that can be used to transfer funds or value from place to place either without leaving a formal paper trail of the entire transaction or without going through regulated financial institutions." One of those systems is hawala, which has its origins in classical Islamic law and is mentioned in texts of Islamic jurisprudence as early as the eighth century. Hawala drew interest from the U.S. government after 9/11 because payments are exchanged on the honor system without a paper trail. With this arrangement, it could be difficult to determine if a transfer of funds was for legitimate purposes.

In addition to hawala, Passas identified other important IVTS to include gift and money transfer services via Internet sites, Internet-based payments and transfers, and stored value cards, such as prepaid telephone cards, to name a few. IVTS systems and mechanisms range from basic and traditional exchanges to modern and sophisticated ones.

122809
ENLARGE

 

Passas' initial work predated the recent developments in the mobile payments channel and certainly came before the growth in mobile enabled P2P and the use of prepaid airtime for remittances, as described in an earlier edition of Portals and Rails. When P2P payments are conducted by mobile carriers in a bank-agnostic ecosystem, do they potentially represent a more sophisticated, modern-day informal payment system?

MMT: The fastest-growing mobile payment
P2P payments represent possibly the fastest form of financial transaction enabled by mobile phones, driven by the steady growth in remittance markets, the ubiquity of cell phones themselves, and the desirability for an electronic P2P payment alternative in developed countries like the United States. Research firm Gartner recently identified mobile money transfer as the first of the top 10 consumer mobile applications in 2012, made possible by developments in smart handsets like the iPhone. Separately, ABI research predicts that almost three times as many consumers worldwide will use mobile phones to conduct P2P payments than those who will use them to conduct mobile banking functions by the end of 2011.

Formal versus informal
GSMA (Global System Mobile Association), the alliance of mobile network operators, launched the Mobile Money Transfer Programme initiative to promote the mobile channel and formalize international remittances. With low barriers to entry, roaming capacity, and a growing unbanked market in developed countries, start-up firms may offer informal MMT services, including international and domestic P2P in cross-border markets to expand their customer reach and network opportunities. While informal payment systems can provide means for legal transactions, the lack of transparency could potentially provide bad actors the opportunity for money laundering and other financial crimes.

Nonbanks, like telecom firms and others, are rapidly entering the financial services arena, creating an uncertain regulatory environment as laws and regulations vary from country to country. Will mobile P2P innovation permit service offerings that are characterized as informal payments with the potential for misconduct? Will violators of money-laundering laws go undetected as stored-value mechanisms move from the plastic card to the mobile device? These questions will no doubt be the focus for regulators in many markets going forward as they attempt to understand both the operational and regulatory risks money transfer services have the potential to introduce.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

February 2, 2009

Retail Payments Risk and Fraud: Detection and Mitigation

The Retail Payments Risk Forum hosted a conference titled "Risk and Fraud in Retail Payments: Detection and Mitigation" at the Federal Reserve Bank of Atlanta on Oct. 6–7, 2008. This conference provided a collaborative forum to facilitate information sharing among experts and foster improved detection and mitigation of retail payments risks and fraud in check and automated clearinghouse (ACH) payment systems. Experts from banking agencies, state and federal law enforcement, NACHA, the ACH operators, and others explored barriers and discussed opportunities. The meeting leveraged the assembled expertise to identify opportunities for further collaboration.

Three expert panels discussed themes regarding third-party risks in retail payments, enforcement actions, and consumer protection concerns. Participants were then asked to discuss key topics in smaller breakout groups, including information-sharing limitations, policing bad actors, collaborative opportunities, substantive areas of concern, and the role of the Retail Payments Risk Forum.

The proceedings of the conference are summarized in the full-length conference summary, which can be found as text or pdf. We encourage you to review the conference summary and also to provide any comments you may have within Portals and Rails. In particular, we want to know what you thought of the topics addressed. Did the discussions reflect your understanding of the issues? Did we miss anything? What topics would you like to see addressed in future such events? How do we best ensure ongoing collaborative work among industry, regulatory, and law enforcement parties in the detection and mitigation of retail payments risks and fraud? Your thoughts are very valuable to us!

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.

Take On Payments Search


Recent Posts


Categories