Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 19, 2010
Soccer balls and payment cards: A push for global standards
I am generally not a soccer fan but over the past few weeks I found myself curiously engaged in that nationalistic spectacle called the World Cup. Despite my general disinterest in low-scoring games and Oscar-quality performances by slightly injured players, I got caught up in the intensity of play and extraordinary skill levels displayed by these world class athletes. Then one day a debate erupted regarding standards. Apparently, soccer balls are not standardized and the one being used seemed hard and "skitterish." How bizarre!
Of course, my thoughts immediately turned to a more consequential global-standards issue taking place in the payments card world—the debate about the United States' reliance on the magnetic-stripe card standard as opposed to the chip-and-pin standard being adopted throughout the world, including in neighboring Canada.
Chip-and-pin technology has been deployed in Europe over the last decade as a means of reducing fraud by using the enhanced capabilities of a computer chip embedded in the plastic card to store and manage customer authentication data. Its success has been widely documented in recent fraud studies. This standard has been implemented using a specification called EMV, an acronym of Eurocard, MasterCard, and VISA, the original founders of the standard. In fact, EMV is now a corporation whose ownership has been expanded to include JCB (a Japanese card company) and American Express. So, what's the big deal? We survived the soccer ball dispute, so can't we survive the fact that the United States is not on board with the emerging global payments card standard? The answer may be a resounding "No!"
Various reports from payments research firms such as AITE have suggested that as many as 10 million U.S. travelers experienced difficulties with incompatible card technologies when traveling abroad during the past year. I learned some time ago that the least expensive and most secure way to acquire cash overseas is from an ATM machine. I now foresee a time when I will have to ask a European hotel concierge for the location of an American ATM (one capable of reading mag stripes), only to find out the nearest one is two miles away.
So why doesn't the United States adopt the emerging global standard? While there are many technological and political issues in play, the bottom line is that the overall cost of deployment to the U.S. payments system as a whole, and to merchants specifically, is a staggering number made even more daunting by the current state of the economy and available investment dollars. The Smartcard Alliance estimates that as many as six million merchant terminal devices may need to be replaced or upgraded to embrace chip-and-pin technology, with the bulk of the cost falling on the shoulders of merchants. Consequently, we are left to assume that we are likely to have to travel a long and winding road to migrate to the emerging global standard.
This observation is not in itself calamitous since past roads to worldwide standards are littered with the relics of failure (remember the push to implement the metric system?), but the stakes here are considerably higher in two important ways. First, we may become the only substantial economic power dependent on a payments standard that is less secure than that of the rest of the world. That means that criminals, intent on profiting from card fraud, will continue to migrate to the United States in growing numbers. The second issue is that chip-and-pin technology is a critical element in progressing toward an even more secure and visionary goal—the deployment of mobile phone-based payments capabilities using a chip embedded in the phone. Industry conference agendas are crowded with sessions describing the way a smartphone can be waved near or tapped against a merchant terminal device using radio wave-based near-field communications (NFC) technology to capture the customer's payment credentials. Chips embedded in the phone, coupled with applications loaded on the phone from card-issuing banks, will create the effect of a "mobile wallet" that promises to be more convenient and, yes, more secure than what we use today.
So what should we do about this mess of the United States being out of step with respect to payments card technology? I would suggest that this issue could eventually reach the public policy level. Perhaps it is time for policymakers to consider whether migrating to an increasingly adopted world standard is in our best national interest. After all, we just mandated a move to digital television. While this change facilitated my ability to watch the World Cup in high definition, it cannot possibly be of the same importance as this brewing card issue. If we want to mitigate the possibility of the United States being a center of card fraud and enable our consumers and business folks to travel abroad more easily, it may be time to charge someone in government with developing a well-thought-out, participatory, multi-year plan to move this country to the emerging global payments card standard.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
June 14, 2010
Boston and Atlanta Feds cohost mobile payments industry roundtable meeting
It is an established fact that the United States lags Asian and African countries in embracing mobile payments technology. The question is why. To examine the reasons for the lag, the Atlanta Fed's Retail Payments Risk Forum and the Boston Fed's Consumer Payments Research Center convened a meeting on January 27 and 28 of key industry stakeholders involved in the emerging mobile payments industry. The group engaged in a cross-industry dialogue to develop a mutual understanding of industry direction and a noncompetitive strategy to address barriers to adoption of mobile payments. Ultimately, the group sought to answer this question: "If mobile payments can function effectively and efficiently in Africa and Asia, why not in developed countries like the United States?" (Portals and Rails examined the same topic in its April 5 blog, "Consumer confidence the key to U.S. mobile payments future.")
Below is a summary of the meeting's discussion.
Drivers of and barriers to adoption
The United States has been slow to adopt mobile payments technology primarily because many existing payment alternatives are available and because a variety of different entrepreneural business models and pilot rollouts are currently under way. Many new proprietary services lack uniformity, so do not encourage trust and do not attain the critical mass necessary to succeed. Furthermore, the true state of consumer demand is clouded with conflicting perceptions concerning security and the value proposition for mobile payments. Industry participants need to understand exactly what consumers want in mobile payments, whose perceived value may in turn rely on some added feature or functionality rather than just the payment itself.
The transit industry—which is moving to contactless, card-based fare payments systems—has some of this additional functionality. These systems are being modified to allow use for the purchase of nontransit goods and services at merchants' point-of-sale locations that accept the major card brands. This trend is noteworthy because it leverages the transit system’s existing network to expand the payment functionality of the transit card to an open-loop environment.
Similarly, contactless technology, also known as near field communication (NFC), is finding its way into mobile payments, where the phone, as opposed to the card, is the form factor enabled with the chip technology. However, few chip-enabled mobile devices are available on the market today. Some vendors are offering peripheral devices, such as NFC stickers that adhere to the mobile phone, until more handset makers embed the technology in the phone itself. While this strategy provides a plausible interim solution, it also has the potential to confuse the market and delay the goal of full NFC deployment and adoption.
Merchants represent a key variable in the adoption equation. Because the capital investment in contactless point-of-sale equipment is expensive, merchants may delay investment decisions necessary for contactless payments via cards or mobile devices until they are certain of widespread adoption and use. Additional incentives such as mobile coupons or loyalty reward programs may be needed to create a viable business case for NFC payments.
Industry roles and responsibilities
A number of key topics arose out of the discussion surrounding industry roles and responsibilities.
- Customer ownership: The mobile payments environment is evolving to include a wide range of players—many new to financial services—who share the customer relationship in some way. Consequently, as mobile business models emerge, complications may arise in the sharing of customer data and revenue. No one group in the mobile ecosystem totally owns the customer, although some may bear more responsibility and liability than others, depending on the business model and infrastructure. Ultimately, customer ownership may be defined by the consumer's perception of ownership and who the consumer believes has committed an error in a payments transaction. It will be important for industry stakeholders to discuss scenarios in which customer protection and privacy are at stake, and decide which party will assume responsibility in the payment chain when something goes wrong. It will also be important for stakeholders to agree on collective customer data sharing in order to optimize fraud reduction efforts.
- Security: Security is a complex issue in the context of roles and responsibilities. For example, who is responsible for provisioning security for transactions that expand across the mobile space from the phone, to the carrier, to the processor, to the bank, and finally to settlement? While strong encryption methods exist for protecting user data during transmission, complexities may arise when different parties begin to share data in order to execute a payment transaction.
- Regulatory environment: The U.S. banking industry is highly regulated and guided by well-defined standards. The telecom industry, on the other hand, has a different regulatory environment, one that is focused on nonfinancial risk issues. The establishment of a trusted service manager may ultimately serve the role of facilitator to manage and bring together different industry participants.
- Gaps in oversight: With regard to the regulatory front, gaps may emerge in oversight for the conjoined telecom and banking industries, making it important for industry participants to work with regulators to identify oversight roles and close gaps in advance of widespread deployment. In that context, the Fed is interested in ensuring the integrity of emerging payments systems without taking any action that might stifle innovation and efficiency.
The meeting concluded on the theme that industry participants should work collaboratively to develop a uniform system to provide a common user experience that is safe and secure. While competition often fosters innovation, the industry should address interoperability and common standards in a cooperative rather than competitive context. Meeting participants agreed on broad actions intended to address adoption barriers and establish a viable mobile payments infrastructure. The meeting summary is available on the Boston and Atlanta Fed websites.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
June 1, 2010
Mobile P2P money: Contemplating new risks while analyzing adoption potential
Cell phone ubiquity and the growth of wireless networks are helping the world's poor to transcend from informal, cash-based societies to societies with more efficient and safer payments systems. The recent success of mobile operator-led payments services in emerging markets is galvanizing market experimentation in developed countries such as the United States.
Technology ripe for advance of mobile P2P
Mobile network operators and other nonbank firms are beginning to offer mobile-enabled payments transfer services in cross-border environments, using "agents" such as the corner store to accept cash deposits and accommodate withdrawals in lieu of traditional bank branches. These money transfer services, including both domestic and cross-border person-to-person (P2P) payments, are shifting to the mobile channel, providing consumers efficient, electronic alternatives to paper-based P2P payments. However, improved carrier roaming capacity and increased transaction activity may create opportunities for money laundering abuses and other unforeseen financial crimes. As new mobile financial services such as mobile P2P gain acceptance in markets throughout the world, how will industry participants plan for new and unanticipated risks?
The potential for market adoption
According to CGAP—or the Consultative Group to Assist the Poor—more than a billion people worldwide lack access to traditional financial services, but they do have mobile phones. This ubiquity has the potential to extend even more financial services to unbanked peoples throughout the world. In fact, a 2007 survey conducted by the GSM Association found that respondents expected the number of subscribers using mobile domestic money transfers to grow more rapidly for developed markets than for developing markets. These results imply that consumers in developed markets are interested in electronic P2P payment options and would be willing to conduct them via the mobile device.
The game changer when we think about payment adoption is the ability of the cell phone to execute domestic transfers in addition to international exchanges. This expanded functionality may fulfill the needs of mainstream consumers, as well as the unbanked, by giving them a convenient, cheap, and efficient alternative to writing checks or going to an ATM for a cash withdrawal for low-value exchanges.
The risk environment
In emerging markets, the risks of money laundering, identity theft, and other fraud are very real—they are merely eclipsed by the risks inherent in informal, cash-based systems, such as theft and extortion and possibly more violent crimes. So consumers in these countries where mobile payments are successful are arguably better off today despite the new risks introduced. However, this may not be the case in the United States, where we have a vast array of secure payment alternatives in place already. If convenience ultimately leads to adoption here, as it has abroad, what risks will P2P mobile money introduce, and how will we manage them?
The risks inherent in all retail payments systems are also present in the mobile space, including money laundering, privacy and security, consumer protection, fraud, and credit and liquidity risks. However, the mobile environment adds a dimension of complexity that makes quantifying risk more difficult. Participants in the payments value chain are increasingly disintermediated and outside the traditional legacy banking environment where the regulatory and legal governances are well established. In addition, there are other risks more unique to telecom firms that financial institutions and their regulators lack experience in detecting and monitoring. Finally, the regulatory domains governing banking and telecommunications are accustomed to operating independently and autonomously from one another and may be challenged to work collaboratively.
Implications for the United States
Domestic and international mobile money transfers are gaining adoption in world markets whose participants are likely to transact with U.S. consumers as wireless carriers provide services cross-border. Today, evidence in support of U.S. consumer demand is inconclusive because of the limited availability of P2P services and limited user experience. However, prevalence in offerings may not be the appropriate benchmark for determining whether discussions on risk management and payment system integrity are important going forward, as risk exposure may not be directly correlated to the rate of adoption. In order to protect the integrity and ensure continued security of retail payments systems in the United States, all participants in the emerging mobile payments industry should engage in proactive dialogue on emerging risk issues inherent in mobile money transfers.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
February 16, 2010
Haitian crisis: Are mobile payment discussions an unexpected consequence?
The earthquake in Haiti caused massive destruction that ultimately leveled the capital city of Port-au-Prince and resulted in the deaths of thousands of people. As charitable assistance has poured in from around the world, an unexpected revelation has come to light with respect to the potential for mobile phone–enabled payments. Within a matter of days, wireless network operaters facilitated millions of dollars in donations, demonstrating how quickly people all over the world could assemble to adopt a single payment method for a specific purpose. Through the use of text messaging, or SMS (short message service), via the mobile phone, consumers could send payments to a variety of charitable organizations providing aid to Haiti.
Convenience of text messaging can drive adoption
I heard someone say recently that "convenience is like a drug for consumers." This convenience is possibly why texting is outpacing e-mail messaging as a mainstream form of communication—the ubiquity of mobile phones makes texting increasingly easier, cheaper, more convenient, and perhaps a natural vehicle for sending payment instructions. According to research released by Nielsen Mobile, the typical U.S. consumer sends and receives more SMS text messages than telephone calls. Mobile SMS is already widely used in developing countries to facilitate mobile money transfers for domestic person-to-person payments and cross-border remittances.
What if something goes wrong?
In many developing countries, mobile money transfer payments are transmitted via SMS without a bank partner to facilitate clearing and settlement. As described in an earlier post, Safaricom's M-pesa service provides mobile phone–enabled payments through text message instructions, with cash-out needs accommodated by agents, typically a village store or wireless retailer. But many of the payments are peer-to-peer in nature and funded by topping up the consumer's mobile phone bill. In the Haiti example, customers also could fund the payment by adding the value of the donation to their phone bills or by debiting a bank account.
Of course, the legal and regulatory environments in the United States differ markedly from developing markets like Kenya, where the M-pesa mobile payments service has grown so rapidly. The risk environments also differ significantly. In Kenya, a consumer faces less risk of loss in a mobile-enabled payment environment than the cash-based system that prevailed only a few years ago. U.S. consumers have many choices in payments and enjoy legal protections if service providers fail to consummate the payment transaction.
So what happens if the $20 donation instruction you sent to Haiti appears as a $200 or even a $2,000 charge on your bill? What if there is a disagreement about the error between you and your wireless carrier? What else could go wrong?
Protection for consumers
One of the growing challenges created by payment innovations is the creation of new laws and rule sets, which provide different protections depending on the payment type. This challenge is further complicated as payments converge and assume different formats along the supply chain. For example, a payment initiated via a credit card on a mobile device is subject to error resolution procedures and consumer protection standards established by the card networks. Similarly, Regulation E covers electronic transactions initiated from a bank deposit account. But if you disagree with a charge to your phone bill for a payment, it is questionable whether the error resolution provisions of Regulation E would even apply. As telecom firms become more important participants in retail payments, what laws and rule sets can consumers look to for protection when things go awry?
Of course, these issues are highly hypothetical but also very possible. Telecom firms and mobile payment service providers are filling new roles in mobile payments, forcing business models that we know today into a new paradigm. Perhaps the crisis in Haiti will serve as a catalyst for proactive thinking on risk issues so that all industry participants can work together to build a safe and trusted mobile sector of commerce.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud