Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources for help navigating through these uncertain times. Also listen to our special Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

November 24, 2014

What’s Unsettled in Faster Payments?

When I started at the Federal Reserve Bank 27 years ago, the phrase "faster payments" was rarely spoken. Indeed, if people talking of payments were musing on speed (or the lack thereof), two things were a safe bet: first, the conversation was likely among bankers and, second, the talk revolved around check float and the tools for reducing it—check sort patterns, airplanes, or optimized ground routes. Those tools are not part of today's "faster payments" conversations, and the universe of discussants is much broader; it's not just bankers anymore.

Payments essentially comprise two components. The first is messaging—the instruction that delineates who is to be paid, by whom, and in what amount. The second component is settlement. Settlement is the event that finishes a payment. It is also commonly the slowest aspect within any given payment scheme. Settlement is the actual transfer of funds, the account adjustments directed by the messaging components.

For many payments, settlement takes much longer than appears to be the case, particularly from the perspective of the end user. For example, in a typical payment card transaction between a consumer and a retailer, once the card is swiped and "approved," the consumer is considered to have paid and can generally leave with the goods. But the merchant has received only the promise of payment. Settlement between card issuers and acquiring banks must occur before the merchant is paid. This can take more than a day and illustrates one issue with settlement lags: consequential strains on liquidity that merchants experience when they need to replace goods but may not have received payment to fund the resupply.

So will a faster payment solution resolve the liquidity issues currently experienced in many of the extant payment schemes? At this point, the answer is not a simple one. In town hall-style meetings and other updates, Fed speakers have noted that "real-time settlement is not required for real-time availability." This suggests that at least at the outset, a faster payments scheme here may not include immediate settlement. And if settlement does not occur simultaneously with messaging, certain parties in the transaction remain exposed to liquidity as well as other settlement risks. This doesn't mean that a new scheme will be plagued with settlement risk. The UK has successfully offered real-time clearing and availability without real-time settlement. However, other countries have built real-time settlement into their new systems because it does indeed reduce systemic risk. If a new system here is to be built from scratch, it seems important to probe fully the range of design issues and options and consider solving all of the longstanding payment risks that can be feasibly solved.

By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed


July 21, 2014

How Much Will Chip-Card Technology Affect ATM Owners?

Last week, my colleague Doug King wrote a post about the impact of the migration to chip-card technology on financial institutions that issue cards, with a focus on the smaller issuers. What happens with ATMs is an aspect of the chip-card migration that hasn't received much media attention. This may be because the liability shift timetable for ATMs—for MasterCard, it's October 2016; for Visa, October 2017—comes after the merchants' October 2015 deadline.

Of the roughly 430,000 ATMs in the country, nonfinancial institutions own just over half. The size of these independent ATM deployers (called IADs) range from two large companies with installed ATM bases of 60,000+ machines to thousands of small independent owners with a handful of ATMs. The conversion to support chip cards can cost these businesses up to $500–800 per machine. This impending ATM upgrade has echoes of the Triple DES (or Triple Data Encryption Standard) upgrade that Visa and MasterCard mandated in 2003, with a 2007 deadline. That upgrade involved strengthening ATM transaction security to better protect cardholder's personal identification numbers. Like today's chip-card upgrade, some of the older ATMs did not have the computing power necessary to support the upgrade, which meant the owners had the additional expense of replacing or decommissioning these machines. The independent-ATM installed base declined by more than 12 percent from 2007 to 2009 because many of the owners could not afford the Triple DES upgrade.

The costs of the current upgrade come at a time when the operators are seeing a constriction of their revenues. ATM usage has not kept up with the increased number of machines, which has resulted in lower average volumes per ATM and lower transaction revenues. The increased use of debit cards at retailers along with the cash-back option that many retailers offer are primary reasons for the lower usage.

The ATM owner has two main sources of revenue: interchange fees and surcharge fees. The card issuer pays the interchange fee; the cardholder pays the surcharge, which the ATM owner adds to the transaction amount. (The cardholder may also incur a "foreign transaction" fee from their financial institution for using an ATM outside their financial institution's network, but the ATM owner receives no portion of that fee.)

For 10 years, net interchange revenue to the IADs been steadily decreased. An industry survey showed that average interchange revenue per cash withdrawal dropped from $0.555 in 2006 to $0.3625 in 2012. ATM owners have some ability to raise their surcharge amount, but they have to remain competitive. (The average ATM surcharge amount for ATMs is about $2.50, according to Bankrate.com’s 2012 Checking Survey.) To offset these profitability constrictions, ATM owners are continuing to look for additional revenue sources, such as video advertising or branding their ATM with the name of a financial institution.

As the chip-card deadline for ATMs gets closer, Portals and Rails will continue to monitor and report on its impact.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed.

July 14, 2014

EMV Train is Gathering Steam: Procrastinators Take Warning

With each passing day it becomes more apparent that the United States’ EMV train—the one carrying the chip-embedded credit and debit cards—has left the station and is gaining steam for the ride towards the October 2015 POS liability shift timetable. In a June 12 press release, the EMV Migration Forum estimates that 100 million EMV cards (approximately 9 percent of the card base) will be issued by the end of 2014 plus an estimated 4.5 million chip-capable terminals (approximately 40 percent of terminals) will be installed by year’s end. Demonstrating different perspectives on the speed of the EMV train, two research groups, Aite Group and Javelin Strategy & Research, released their card conversion estimates:

EMC Card Conversion

Javelin also projects that 53 percent of POS terminals will be chip-enabled by the end of 2015.

The newly released PULSE 2014 Debit Issuer Study perhaps best captures EMV’s gathering speed. Of the issuers surveyed for this study, 86 percent plan to issue EMV cards in the next two years, compared to only 50 percent in the previous year’s study. However, the study reveals there is a bit of discrepancy between the EMV plans of large and small financial institutions. About 22 percent of community banks and 17 percent of credit unions have no EMV issuance plans compared to only 4 percent of large banks.

We know from experience that fraud generally migrates to the weakest link. So the EMV issuance findings are a bit troublesome, especially when we consider that the study found credit unions and community banks had already experienced significant increases to their signature debit fraud rates in 2013 from 2012 compared to large banks. Further, in 2013, credit unions and community banks had fraud rates approximately 25 percent and 15 percent, respectively, greater than that of large banks.

Despite the EMV naysayers, the U.S. payments industry is moving ahead with this initiative. For those smaller financial institutions waiting to see how EMV will unfold, the future has become clearer. By not acting, those financial institutions could become the "weakest link" and an easier target for the fraudsters compared to peers and competitors that do migrate. The train is rumbling down the EMV tracks, but there still is time to get an issuance plan in place.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 7, 2014

Fighting the High-Tech Criminals

The days of small gangs or the lone criminal committing "grab-and-go" robberies or counterfeiting checks and currency are certainly not over. However, crime stories involving millions of dollars and criminal networks that span the globe tend to grab the headlines these days. Just about everyone has heard about the recent data breaches at major retailers and ATM cash-outs that have netted criminals millions of dollars. A presentation at a recent payments security conference addressed the role of high-tech criminal groups in such crimes and the major threat they present to the security and reputation of our payment system. The speaker described how law enforcement agencies are working vigilantly to shut down these large global criminal enterprises and their cybercriminal activities.

The speaker detailed the composition of a criminal network, which closely resembles the organizational structure of a multinational corporation with numerous subsidiaries. This image shows the major components of the criminal enterprise.

major compoenents of the criminal enterprise

  • Executives—These people serve as the originating group and ultimate beneficiaries of the spoils of their successful attacks. They identify the types of criminal cyberactivity to pursue, including identifying the target companies or computer systems.
  • Financiers—If the executives don't have the financial resources to carry out their scheme, they often link to a funding source. The financiers may receive a share of the executives' profits as compensation, or they may simply treat the transaction as a loan, charging interest until the loan proceeds are repaid.
  • Exploiters—The hackers and software personnel identify vulnerabilities in software or systems and write malware code to compromise a target's account credentials. They normally receive compensation based on the type of attack and the level of sophistication.
  • Botnet operators—A botnet is a network of compromised computers. The botnet operators, sometimes called "bot herders," control these systems. They run automated programs in the background, so they are often undetected by the legitimate computer owners, to send massive amounts of spam, conduct spear phishing attacks, or in some other way launch attacks against their targets. Botnet operators receive payment based on the number of compromised computers they use and the time required for the attack.
  • Money mules—These players are in the most vulnerable group; they are the people on the street, retrieving the stolen funds and sending them, minus their cut, to the executives. Some law enforcement authorities have said that mules' share of the ill-gotten proceeds can be as high as 60 percent, depending on an operation's level of risk.

While these players are closely linked, they are generally separate criminal groups that have developed niche roles. The separation provides some safety to the executive group in that if members of one of the linked groups are arrested, executives can find another group to take their place so they can continue their illegal activities.

The major global criminal networks have proven to be formidable because of their resilience, but they are not invulnerable. Law enforcement agencies in the United States and other countries are working together to attack these networks through a variety of strategies. Unfortunately, in many cases, the core criminal leaders are physically located in safe havens, so called because local policies may prevent extradition or because governmental officials may be complicit or corrupt so they ignore the criminal activity as long as the targets of the crime are outside their borders.

Portals and Rails salutes the law enforcement personnel for their tireless efforts in this constant battle.

Photo of Deborah Shaw

Take On Payments Search


Recent Posts


Categories