Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

June 22, 2020

United Kingdom Extends Consumer Protection

A key element of a faster payments system is the finality of payment. Once the payer sends the payment (called an authorized push payment, or APP), it's pretty much gone for good. This finality provides a number of valuable benefits to both sender and receiver. But what if the sender has been deceived into authorizing a payment or simply makes an error in the payment destination instructions? In a March 2020 post, I discussed the growing concern in the United Kingdom about consumer liability for APPs. That concern resulted in regulatory action offering potential liability relief to consumers deceived into making such payments.

In an APP scam, a payer is tricked into transferring funds to a fraudster through an electronic payment. We have written in previous posts (including this one) about these advance fee scams; they involve people getting a call notifying them that they've won a lottery or owe delinquent tax payments, or they are asked by someone they've met through a dating site or service to send money. In the United States, once consumers have authorized such transactions, they are generally not protected from these losses by existing consumer protection regulations.

However, in the United Kingdom, the incidence rate for these APP scams reached such a level in 2017 that banking authorities took action. The financial services trade association UK FinanceOff-site link began collecting APP scam-fraud data and in January 2018 produced a best practices standards document to improve the identification and reporting of APP scams. The trade association noted that for 2019, losses from APP scams were £456 million (approximately US$581 million), compared to £354.3 million (approximately US$468.7 million) in 2018.

Also in 2018, the Financial Conduct Authority (FCA)—the United Kingdom's financial services regulator—began a series of regulatory changes intended to provide consumers with additional rights in APP disputes. Initially, APP fraud claims were directed to the consumer's financial institution, a payment service provider (PSP). The FCA concluded that the PSP receiving the funds was in a better position to investigate the situation and changed its guidelines to mandate including the receiving PSP in the investigation process.

The biggest shift occurred in May 2019, when the FCA launched a voluntary codeOff-site link regarding APP scams. The code, according to the industry group UK FinanceOff-site link, says that "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Under the code, a PSP is deemed to be at fault if it has not developed prevention (customer education) and detection programs. Although the code is labeled "voluntary," all the major U.K banks have been required to adopt it. There continue to be efforts in the British Parliament to mandate that all financial institutions, regardless of asset size, adopt the code.

In 2019, there were a reported 122,437 cases of APP fraud reported in the United Kingdom. These cases, which totaled £101 million in losses, were reviewed under the provisions of the code. Of that total, £41.3 million, or 41 percent, was reimbursed to the consumer. My reading of the code makes it seem very subjective; it appears that if the victim didn't believe it was a scam at the time they initiated the payment, they should be reimbursed. The FCA documents concede that there isn't a specific checklist to make such a determination but that each case should be decided on an individual basis—a compliance official's worst nightmare.

In an effort to preempt an unauthorized APP from taking place, the United Kingdom's retail payment operator (Pay.UK) introduced its Confirmation of PayeeOff-site link service in 2019. This service checks whether or not the payee name attached to the APP is the same name on the account receiving the payment. Originally mandated to be operational by July 2019, the deadline for adoption by the six major banks was extended to March 31, 2020. Then, because of the COVID-19 pandemic impact, the deadline was again extended, this time to June 30, 2020, although some of the big banks have already implemented the service.

As APPs gain popularity in the United States with faster payments and P2P services, what is the likelihood that similar protections will be extended to consumers here? Let us know what you think.

January 30, 2017

Pssst…Have You Heard about PSD2?

No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.

The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:

  • Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.
  • Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.
  • Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.
  • Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.

While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed



_______________________________________

* Final rules are expected to be published in January 2017.


June 27, 2016

Between a Rock and a Hard Place?

Customer education encouraging safe payments practices has always been viewed by staff at the Retail Payments Risk Forum as a vital element in mitigating payments-related fraud. We have stressed this need time and time again in our posts as well as our numerous speaking engagements at payments-related conferences and events.

Financial institutions (FIs) have generally been identified as the group that should bear this responsibility as they own the account relationship, but with more intermediaries in the payments process, I think that others should also be involved. The advent of mobile banking and payments has introduced even more challenges since the financial institution doesn't get involved in the acquisition of the mobile device as that is normally handled by the mobile network sales representatives. My personal experience with these sales representatives is that once the device sale is done, they are more interested in selling me accessories or upgrading my data plan than they are teaching me about selecting and setting strong passwords or preventing malware and viruses from finding their way into my phone.

When I raise this issue with others, all too often I hear a pessimistic chorus that getting consumers to adopt strong security practices will always be a losing battle for FIs. They say that consumers will always choose convenience over security—that is, until they fall victim to fraud. And forget about any other player in the ecosystem taking on the education responsibility because if they have no liability for fraud losses, why direct funds to education when they could be deployed elsewhere?

The impact of fraud on a consumer's relationship with his or her financial institution has never been greater. We read every day about the increasing economic importance of the Gen Y or millennial segment. With an estimated 80 million people, they represent the largest segment of our country's bankable population. A late 2015 study by FICO on millennial banking habits revealed that 29 percent of respondents indicated that they would close all their accounts with a financial institution if one of those accounts experienced fraud. To make matters worse, one quarter of the survey participants indicated they would write a negative post on social media about their financial institution if they experienced a fraud incident.

So are financial institutions in a no-win situation? A ray of hope emerges from the same FICO study, which states that 41 percent of the millennials surveyed indicated that they recommended their FI to friends, colleagues, or family members after a positively handled fraud incident. Studies have consistently shown that payment security is a key concern of all customers, not just millennials. So although it may not seem fair that financial institutions have to shoulder most of the security education effort, the impact of not doing so could be significant. Perhaps it is time for a coordinated payments industry campaign to encourage consumers to adopt safer and more secure banking practices.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 21, 2015

Mimicking Mother Nature

A few months ago, we had a large colony of bats take up residence in our house. With the issue now resolved, and with everything we had to do to get rid of them, I realize how the whole experience was similar to the tactics of fraudsters and the challenges faced by their victims in taking preventive, detective and corrective action.

We learned of the initial intrusion purely by accident. Previously, we have never had any sign of vermin being able to gain entry, so I thought we had a solid defense. My wife had noticed a small amount of droppings on the back porch but we thought they were from squirrels. Imagine my shock when my adult son informed me we had been invaded by bats. He had discovered them one morning following an overnight stay. Departing for an early tee time, he noticed a swarm of bats flying into a soffit vent crevice. Incredulous, I waited for dusk only to see for myself a constant stream of small brown bats exiting the soffit crevice.

My wife went a little bat crazy as she imagined hoards bats swooping down to carry off one of our grandkids. Actually, she was more concerned about the real threat of respiratory disease from their droppings as well as the potential for rabies. We began to do some research, and I soon learned that bats are a protected species, so they cannot be disturbed unless they are posing an immediate health threat. They weren’t, since they were not in our living space. But the problem intensified, which I realized one evening when I saw an even larger colony emerging from our chimney.

We began contacting companies that specialize in wildlife removal. We found a wide variety of suggested courses of action and prices. We selected one company based on its reputation, process, guaranteed results, and pricing. The company’s first step was to inspect the entire house to identify any other potential points of entry and to seal them. We notified our neighbors so they could be on the lookout to make sure the bats didn’t settle inside their houses. The next step was to install one-way excluders that would permit the bats to leave but not get back in. This seemed to be working well until a group of the bats somehow got word they were being evicted. Trying to find another way into the house, they navigated an interior wall and became trapped. Without water, they soon died and a putrid smell began to emerge. After cutting several holes in the wall, the technicians were able to locate the source and remove the carcasses. After a couple of weeks, the excluders were removed and the entry points sealed so we thought the problem was resolved.

Imagine our further surprise when we returned from vacation and found about 50 dead bats in our unfinished basement. It seems a group had remained and found a chase route from the attic to the basement seeking water. With the disposal of those bats, the problem seems to have finally been resolved. As fall approaches and bats migrate to warmer climates, the threat diminishes, but I can assure you we will be on the alert next spring.

So how does this relate to the payments fraud environment? Some similarities:

  • We thought we had a strong defense perimeter and were safe, but the bats found a way inside given they require an opening of only three-eighths of an inch.
  • While our discovery came shortly after their initial entry, it was only by sheer luck. We could have acted earlier if we had not ignored the early warning sign of their droppings.
  • We thought we had identified the sole location of the problem, but they then migrated to a second entry point.
  • Regulations limited the potential range of actions we could take to deal with the issue.
  • We shared information about the situation with our neighbors so they could be on the alert.
  • We analyzed several different options for dealing with the issue and preventing its recurrence.
  • Despite what we thought was a successful process, other issues arose and required action before there was a final resolution.

This experience with Mother Nature has provided us a learning opportunity and we are better informed and on the alert for future such events.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Take On Payments Search


Recent Posts


Categories