Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 27, 2020
Mobile Banking Nearing Ubiquity
In June 2019, eight Federal Reserve districts,1 led by the Federal Reserve Bank of Boston's Payment Strategies Group, surveyed financial institutions (FI) based in their respective districts about their current and planned mobile banking and mobile payment service offerings. The survey defined mobile banking as the use of a mobile phone to connect to a financial institution to access bank or credit account information (including to view balances), transfer funds between accounts, pay bills, set up account alerts, locate ATMs, deposit checks, and more. The term mobile payments described the use of a mobile phone to pay at the point of sale, remotely for a retail item (or items) using near field communication or a quick response code, or via mobile app or web for digital content, goods, or services (such as transit, parking, or ticketing).
You can find the full 2019 Mobile Financial Services Survey report, including the survey questionnaire, on the Boston Fed website. This collaborative survey effort previously took place in 2014 and 2016.
The survey found that 96 percent of the respondents currently offered or planned to offer mobile banking services. (As expected, most of the respondents who indicated they had no plans to offer mobile banking—18 of the 23—were the smallest FIs [those with assets under $50 million]). Support for mobile payment services had increased significantly since the 2016 survey, going from 24 percent to 43 percent in 2019, with an additional 26 percent planning to support mobile payments within two years.
Especially interesting to me were the responses to a new survey question regarding FIs' plans to issue contactless payment cards. Many of the largest FIs began issuing contactless cards in 2019. The survey found that while only 5 percent of respondents were issuing contactless cards, 21 percent plan to do so within two years and an additional 18 percent plan to issue them in the next two to five years. As the chart shows, although nearly two-thirds of the smallest FIs indicated no plans to offer a contactless card, a relatively high percentage (43%) of the larger FIs also indicated no plans to do so. I am curious to see how these plan responses change, if any, in future surveys.
A total of 504 financial institutions responded—337 banks and 167 credit unions (CUs)—which represented 6 percent of all banks and 3 percent of all CUs in the United States. It is important to note that none of the top 100 banks by asset size and only four of the top 100 CUs by asset size are included in the survey. Almost half of the responding CUs have assets under $100 million. The distribution of survey respondents (displayed in the chart below) helps us better understand the development of mobile financial services in the mid- and small-sized FIs.
The Boston Fed's Payment Strategies Group will present a webinar on the full survey report later this year. We will be sure to keep Take On Payments readers apprised of those plans. In the meantime, if you have any questions regarding the survey or the results, please be sure to contact me.
1Atlanta, Boston, Cleveland, Kansas City, Minneapolis, Philadelphia, Richmond, and San Francisco
August 19, 2019
Why Should You Care about PSD2?
The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.
The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.
Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:
- Something you know (for example, PIN or password)
- Something you have (for example, chip card, mobile phone, or hardware token)
- Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)
PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.
The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:
- Low-value transactions (under €30, approximately $33)
- Transactions with businesses that the consumer identifies as trusted
- Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
- "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
- Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
- Business-to-business (B2B) payments
Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.
July 29, 2019
You Can't Manage What You Can't Measure
Peter Drucker famously applied the adage you can't manage what you can't measure to widgets at General Motors. Researchers, fintech entrepreneurs, elected leaders, and others who are trying to ensure economic mobility for all would do well to remember this advice. To be able to interpret or conclude that real improvements are occurring due to financial innovation, it is important to understand the metrics used for assessing economic mobility.
One important resource for data on financial inclusion is the Group of Twenty (G20) Global Partnership for Financial Inclusion (GPFI). This group has produced a number of excellent documents on financial inclusion. I want to bring special attention to the G20 Financial Inclusion Indicators and the interactive dashboard.
These indicators grew out of the original Basic Set of Financial Inclusion Indicators, which was created in 2012. Updated this past April, the indicators are meant to measure achievements and disparities in the use of digital financial services along with the technology or environment that is needed to enable use of these services. The dashboard interprets recent data collected for certain indicators. You can download country-level raw data based on variables that you customize. Also on the G20 site is an interactive data visualizer that will let you see how the United States compares to other countries by each indicator.
There are three dimensions to the measurement: (1) access to financial services, (2) use of financial services, and (3) quality of products and service delivery. Here are some indicator categories related specifically to payments:
- Retail cashless transactions
- Adults using digital payments
- Mobile phone or Internet-based payments
- Payments using a bank card
- Debit card ownership
- Proximity to physical points of service (i.e. branches, ATMs, access to internet)
- Enterprises that send or receive digital payments
- Received wages or government transfers into an account
The GPFI encourages individual countries to supplement the G20 Indicators with country-specific metrics. Following are several additional sources contributing to measurements of financial inclusion for the United States:
- U.S. Financial Health Pulse by the Financial Health Network: Measures financial health using the Center for Financial Services Innovation Financial Health Score measurement methodology, consumer surveys, and transactional records.
- The Opportunity Atlas by the U.S. Census Bureau and Opportunity Insights: Maps the neighborhoods in the United States that offer children the best chance to rise out of poverty.
- Small City Economic Dynamism Index by the Federal Reserve Bank of Atlanta: Provides a snapshot of the economic trajectory and current conditions of 816 small and midsized cities across the United States. It includes 13 indicators of economic dynamism for metropolitan and micropolitan areas with populations above 12,000 and below 500,000.
- Payment Volume Charts Treasury-Disbursed Agencies> by Bureau of the Fiscal Service:: Offers downloadable reports that compare monthly and cumulative electronic funds transfer payment volumes for different time periods.
- Model Safe Accounts by the Federal Deposit Insurance Corporation: Offers an overview and report of a pilot program designed to evaluate the feasibility of financial institutions offering safe, low-cost transactional and savings accounts that are responsive to the needs of underserved consumers.
Keeping data at the forefront of the discussion on financial inclusion will better inform strategies, help organizations and entrepreneurs build better products and services, and help policymakers and many others monitor the effect of initiatives.
By Jessica Washington, AAP, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 8, 2019
Insuring Against Cyber Loss
Over the last few months, my colleagues and I have had multiple speaking engagements and discussions with banking and payments professionals on the topic of business email compromise (BEC). Generally, these discussions lead to talk about a risk management strategy or approach for this large, and growing, type of scam. One way some companies and financial institutions are mitigating their risk of financial loss to BEC and other cyber-related events is through a cyber-risk insurance policy. In a recent conversation, someone told me their cyber-insurance carrier mandates that they get an outside firm to audit and assess their cybersecurity strategy and practices, or they risk losing coverage.
According to a recent Wall Street Journal article, some large insurers are even going a step further and collaborating with each other to offer their own assessments of cybersecurity products and services available to businesses. Their results, which they will make publically available, will identify products and services they deem effective in reducing cybersecurity incidents and potentially qualify insured companies with improved policy terms and conditions if they use those products or services.
Cybersecurity vendors who would like their products and services to be assessed must apply by early May. They are not required to pay any fees for the evaluation. In light of the rising number of cyber-related events and increasing financial losses, along with the growing number of legal cases between companies and their insurance providers, this move by the insurance companies makes sense as a way for them to potentially reduce their exposure to cyber incidents. But it will be very interesting to see just how many cybersecurity vendors apply for participation in the program and how effective the insurers are at assessing the vendors' products and services. Moreover, for businesses, just using cybersecurity solutions helps them meet only part of the challenge. How they implement and maintain these solutions is critical to an effective cybersecurity approach.
Also of note in the Wall Street article is a graph that depicts the percentage of a particular global insurance company's clients, by industry, that have purchased a stand-alone cyber-insurance policy. Financial institutions, at 27 percent, rank last. Perhaps they are more confident in their cybersecurity strategies than are other industries, or perhaps insurers have no attractive stand-alone policies for financial institutions.
The cyber threat today is serious. In fact, Federal Reserve Board chairman Jerome Powell in a recent CBS 60 Minutes interview, when asked about a possible cyberattack on the U.S. banking system, responded that "cyber risk is a major focus—perhaps the major focus in terms of big risks."
As the Risk Forum continues to also focus on and monitor cyber risks, we look forward to the public findings from the insurers' collaborative assessment of cybersecurity products and services and will be interested to see if, over time, more financial institutions obtain cyber-risk insurance policies. I suspect the cyber-insurance industry will evolve in the products they offer and will continue to grow as companies look to mitigate their risks in the event of a cyber event.
What are your thoughts on this collaborative effort by the insurers? How do you see the cyber-insurance industry evolving? And do you think more financial institutions (or perhaps your own) will acquire cyber-insurance policies?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud