Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

August 19, 2019

Why Should You Care about PSD2?

The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.

The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.

Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:

  • Something you know (for example, PIN or password)
  • Something you have (for example, chip card, mobile phone, or hardware token)
  • Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)

PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.

The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:

  • Low-value transactions (under €30, approximately $33)
  • Transactions with businesses that the consumer identifies as trusted
  • Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
  • "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
  • Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
  • Business-to-business (B2B) payments

Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.


July 29, 2019

You Can't Manage What You Can't Measure

Peter Drucker famously applied the adage you can't manage what you can't measure to widgets at General Motors. Researchers, fintech entrepreneurs, elected leaders, and others who are trying to ensure economic mobility for all would do well to remember this advice. To be able to interpret or conclude that real improvements are occurring due to financial innovation, it is important to understand the metrics used for assessing economic mobility.

One important resource for data on financial inclusion is the Group of Twenty (G20) Global Partnership for Financial Inclusion (GPFI). This group has produced a number of excellent documents on financial inclusion. I want to bring special attention to the G20 Financial Inclusion Indicators  and the interactive dashboard.

These indicators grew out of the original Basic Set of Financial Inclusion Indicators, which was created in 2012. Updated this past April, the indicators are meant to measure achievements and disparities in the use of digital financial services along with the technology or environment that is needed to enable use of these services. The dashboard interprets recent data collected for certain indicators. You can download country-level raw data based on variables that you customize. Also on the G20 site is an interactive data visualizer that will let you see how the United States compares to other countries by each indicator.

There are three dimensions to the measurement: (1) access to financial services, (2) use of financial services, and (3) quality of products and service delivery. Here are some indicator categories related specifically to payments:

  • Retail cashless transactions
  • Adults using digital payments
  • Mobile phone or Internet-based payments
  • Payments using a bank card
  • Debit card ownership
  • Proximity to physical points of service (i.e. branches, ATMs, access to internet)
  • Enterprises that send or receive digital payments
  • Received wages or government transfers into an account

The GPFI encourages individual countries to supplement the G20 Indicators with country-specific metrics. Following are several additional sources contributing to measurements of financial inclusion for the United States:

  • U.S. Financial Health Pulse by the Financial Health Network: Measures financial health using the Center for Financial Services Innovation Financial Health Score measurement methodology, consumer surveys, and transactional records.
  • The Opportunity Atlas by the U.S. Census Bureau and Opportunity Insights: Maps the neighborhoods in the United States that offer children the best chance to rise out of poverty.
  • Small City Economic Dynamism Index by the Federal Reserve Bank of Atlanta: Provides a snapshot of the economic trajectory and current conditions of 816 small and midsized cities across the United States. It includes 13 indicators of economic dynamism for metropolitan and micropolitan areas with populations above 12,000 and below 500,000.
  • Payment Volume Charts Treasury-Disbursed Agencies> by Bureau of the Fiscal Service:: Offers downloadable reports that compare monthly and cumulative electronic funds transfer payment volumes for different time periods.
  • Model Safe Accounts by the Federal Deposit Insurance Corporation: Offers an overview and report of a pilot program designed to evaluate the feasibility of financial institutions offering safe, low-cost transactional and savings accounts that are responsive to the needs of underserved consumers.

Keeping data at the forefront of the discussion on financial inclusion will better inform strategies, help organizations and entrepreneurs build better products and services, and help policymakers and many others monitor the effect of initiatives.

Photo of Jessica WashingtonBy Jessica Washington, AAP, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 8, 2019

Insuring Against Cyber Loss

Over the last few months, my colleagues and I have had multiple speaking engagements and discussions with banking and payments professionals on the topic of business email compromise (BEC). Generally, these discussions lead to talk about a risk management strategy or approach for this large, and growing, type of scam. One way some companies and financial institutions are mitigating their risk of financial loss to BEC and other cyber-related events is through a cyber-risk insurance policy. In a recent conversation, someone told me their cyber-insurance carrier mandates that they get an outside firm to audit and assess their cybersecurity strategy and practices, or they risk losing coverage.

According to a recent Wall Street Journal article, some large insurers are even going a step further and collaborating with each other to offer their own assessments of cybersecurity products and services available to businesses. Their results, which they will make publically available, will identify products and services they deem effective in reducing cybersecurity incidents and potentially qualify insured companies with improved policy terms and conditions if they use those products or services.

Cybersecurity vendors who would like their products and services to be assessed must apply by early May. They are not required to pay any fees for the evaluation. In light of the rising number of cyber-related events and increasing financial losses, along with the growing number of legal cases between companies and their insurance providers, this move by the insurance companies makes sense as a way for them to potentially reduce their exposure to cyber incidents. But it will be very interesting to see just how many cybersecurity vendors apply for participation in the program and how effective the insurers are at assessing the vendors' products and services. Moreover, for businesses, just using cybersecurity solutions helps them meet only part of the challenge. How they implement and maintain these solutions is critical to an effective cybersecurity approach.

Also of note in the Wall Street article is a graph that depicts the percentage of a particular global insurance company's clients, by industry, that have purchased a stand-alone cyber-insurance policy. Financial institutions, at 27 percent, rank last. Perhaps they are more confident in their cybersecurity strategies than are other industries, or perhaps insurers have no attractive stand-alone policies for financial institutions.

The cyber threat today is serious. In fact, Federal Reserve Board chairman Jerome Powell in a recent CBS 60 Minutes interview, when asked about a possible cyberattack on the U.S. banking system, responded that "cyber risk is a major focus—perhaps the major focus in terms of big risks."

As the Risk Forum continues to also focus on and monitor cyber risks, we look forward to the public findings from the insurers' collaborative assessment of cybersecurity products and services and will be interested to see if, over time, more financial institutions obtain cyber-risk insurance policies. I suspect the cyber-insurance industry will evolve in the products they offer and will continue to grow as companies look to mitigate their risks in the event of a cyber event.

What are your thoughts on this collaborative effort by the insurers? How do you see the cyber-insurance industry evolving? And do you think more financial institutions (or perhaps your own) will acquire cyber-insurance policies?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

March 4, 2019

The Importance of the Small

In Shakespeare's "A Midsummer Night's Dream," Helena said, "Though she be but little, she is fierce," in reference to the power of her romantic foe, Hermia. In today's pop culture, this quote can be found on T-shirts, coffee mugs, inspirational wall hangings, and social media memes touting women's power. But it has a broader meaning to me, one that says small voices are every bit as important as large ones.

In the payments industry, I think of the small voices as being the smaller financial institutions—which are crucial to the success of the Federal Reserve Payments Study, contributing a great deal to the study findings. The study, which estimates the number and value of noncash payments made by U.S. consumers and businesses as well as the data around payments fraud, is intended to inform policymakers, the industry, and the public about aggregate trends in the nation's payments system. Most recently, this work culminated in a benchmark report on U.S. payments fraud from 2012 to 2016.

One important component of the study is to collect data on checks, ACH, wire transfers, cards, cash withdrawals and deposits, third-party fraud, and related information from a nationally representative sample of commercial banks, savings institutions, and credit unions, from the largest to the smallest. So what exactly is meant by a "nationally representative sample"?

In a nutshell, for our estimates to be representative of national payment volumes, we have to account for all sources of volume. If we include only the largest institutions or leave out some segments, the estimates can be biased, either too large or too small. Even though much of payments volume is concentrated in the largest institutions, it is impossible to know how much so without having a good estimate for all segments of the banking population. Past surveys have shown that the segments can exhibit very different trends from study to study. For example, from 1995 to 2000, total checks at large commercial banks fell, while total checks at credit unions and savings institutions grew. (Read more about that in this report from the Federal Reserve Board of Governors.) Without the information from credit unions, the decline in checks would have appeared larger than it actually was.

Study participants are selected from among U.S. commercial banks, savings institutions, and credit unions. According to reports filed with the Federal Reserve in 2015, there were approximately 10,600 of these depository institutions (DI) in the United States that met the criteria (see the table). Using Call Report data filed with the Federal Reserve, a sample frame of slightly under 3,800 institutions was determined to be representative of the entire population of U.S. financial institutions. Each institution type is further grouped according to deposit size.

Institution Type Deposit Size (Maximum)* No. of U.S. Institutions No. Invited to Participate in Study
Commercial Banks  
50
50
$10,900,000,000
264
264
$ 799,500,000
247
237
$ 388,000,000
337
237
$ 232,000,000
618
308
$ 139,754,000
872
289
$ 83,909,000
1,190
444
$ 41,980,000
1,382
356
Subtotal  
4,960
2,185
Savings Institutions  
25
24
$ 1,650,000,000
48
48
$ 497,000,000
102
102
$ 195,000,000
132
104
$ 100,500,000
155
116
$ 46,300,000
292
96
Subtotal  
754
490
Credit Unions  
25
25
$ 730,000,000
47
46
$ 365,000,000
137
126
$ 185,000,000
174
143
$ 105,500,000
240
147
$ 58,000,000
399
167
$ 26,680,000
690
201
$11,190,000
3,144
242
Subtotal  
4,856
1,097
Total  
10,570
3,772

*For commercial banks and savings institutions, this is the sum of public checkable deposits (or checking account balances) and money market deposit accounts. For credit unions, this reflects public checkable deposits only.

Source: Table adapted from Geoffrey Gerdes and Xuemei Liu. "Improving Response Quality with Planned Missing Data: An Application to a Survey of Banks," in The Econometrics of Complex Survey Data: Theory and Applications (Advances in Econometrics, volume 39), ed. Kim P. Huynh, David T. Jacho-Chavez, and Gautam Tripathi. Available April 1, 2019.

As the table shows, financial institutions in each category with the lowest maximum deposit size comprise approximately 46 percent of the total number of U.S. institutions. Of this group, consisting of more than 4,800 DIs, just under 700 were invited to participate in the study, or approximately 18 percent of the total sample.

Take, for example, credit unions with a maximum deposit size of $11.2 million. In 2016, there were approximately 3,100 institutions in this category, and 242 were invited to participate in the study to represent that segment. Similarly, 96 savings institutions with a maximum deposit size of $46.3 million were selected to represent the overall segment of just under 300 institutions.

Grouping institutions in this way improves the quality of results, as the institutions within each category share many similar characteristics. The smaller institutions have a unique voice and experience that the larger DIs cannot represent. To develop a true and accurate national picture of the payments landscape, it is important that all voices be heard.

I hope your takeaway from this post is that the contributions of all financial institutions—large and small—are important to the accuracy and representativeness of the data that the Federal Reserve Payment Study reports. And although study participants may sometimes think their institutions are small fish in a big pond, their survey contributions serve as the voice of their peers, and in the collective, that whisper becomes a mighty voice.

Photo of Nancy-Donahue  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed