Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
January 25, 2021
Resolve for Better Data Privacy
On the heels of a year that saw, among other things, ransomware attacks occurring about every 11 seconds and a significant supply chain breach affecting 18,000 public and private entities, better data privacy should top our collective list of New Year's resolutions. But if this wasn't among our resolutions, we still have National Privacy Day on January 28 to remind us of the need to be vigilant.
Frank Sinatra sang to us in "Love and Marriage" that you can't have one without the other. Likewise, you can't separate data privacy from data protection. Organizations that place a high value on data privacy implement strong data protection measures. Without doing so, privacy can't be assured.
The National Cyber Security Alliance, sponsor of National Data Privacy Day, has created calls to action employing a few basic privacy concepts that individuals and businesses can follow to keep data safe online.
For individuals: Own Your Privacy
- Personal info is like money: Value it. Protect it. Beyond personally identifiable information, this extends to e-commerce purchases, IP address, and location.
- Keep tabs on your apps. Don't just click "OK" on those pop-ups asking to access your location, contact lists, photos, and other personal data. Consider why it is needed and how it will be used and stored. Also, closely examine links and attachments in text messages and emails to keep malware and viruses off your mobile device.
- Manage your privacy settings. Revisit the data access permissions on your apps and web services.
For businesses: Respect Privacy
- If you collect it, protect it. Consider the data your business collects, the business purpose it serves, the way it is stored (such as data encryption), and the length of time it is stored.
- Adopt a privacy framework. Establish a privacy culture in your organization that manages risk and promotes transparency.
- Conduct an assessment of your data collection practices. Evaluate their adherence to applicable privacy regulations.
- Remember that transparency builds trust. Promote transparency with customers in the collection, use, and sharing of their personal data.
- Maintain oversight of partners and vendors. Ensure that third-party service providers share your priority for data privacy and protection.
As many of us will likely continue to work remotely well into 2021—and will likely continue our heavy use of the internet and e-commerce adopted last year—the new year provides a good opportunity to examine apps and behaviors that could put your data privacy at risk. For me, this includes reviewing locations where my payment information and other personal data are stored.
How will you resolve to better protect your data in 2021?
November 9, 2020
Cheering on the Team—Go ACH!
Did you see the commercial during the last SuperBowl about ACH payment innovations? No? Me neither. Of course, that's because there wasn't one. In fact, it doesn't appear there needs to be public advertisements for ACH payments. Why? With value processed on the network having increased more than $1 trillion over the past seven years , ACH doesn't have to be a household name. What you do need to know is that there is lots of growth and innovation happening with ACH behind the scenes these days, and I am an ACH cheerleader.
According to Nacha, the organization responsible for administering the ACH network and its private-sector Operating Rules, the Automated Clearing House (ACH) network processed 34.7 billion transactions valued at $55.8 trillion in 2019. That's, respectively, 7.7 and 8.9 percent growth over 2018. That's also 47 times more than the combined 2019 net sales of Walmart, Amazon, Kroger, Costco, and Walgreens, which was $1.186 trillion, according to National Retail Federation rankings. As for the number of transactions, the total volume of U.S. ACH payments in 2019 translates to approximately 75 payments per person. Any way you count it, it's hard to deny that, as with a line of scrimmage, there's action around ACH.
Innovation, too, has been burgeoning. The Federal Reserve System's Retail Payments Office, which is located at the Atlanta Fed, is one of two ACH network operators, so we have a front row seat. We're seeing lots of fintech creation, including, for instance, mobile apps and voice-activated or conversational payments. Much of this innovation takes place through a democratic rule-making process, whereby stakeholder work groups study recommend opportunities for modernization. These groups have been extremely busy.
October 30 was the deadline for all depository financial institutions participating in the ACH Network to register their primary representative in the ACH Contact Registry. Nacha will maintain this database on behalf of registry members, making it easier for them to contact one another. For them to have fast access to live humans managing ACH operations can be critical, especially when mitigating time-sensitive fraud events such as business email compromise.
In the never-ending fight against fraud, three changes will take effect in 2021. First, Supplemental Fraud Detection for WEB Debits (WEB debits are also known as internet-initiated entries). With this change, ACH originators will be required to include account validation within a commercially reasonable fraudulent-transaction detection system for the first use of new account information. This validation will help block ineligible receivers. Second, security requirements for stored data will be enhanced. Third, a new return-reason code will be created for unauthorized returns, allowing financial institutions to immediately differentiate unintended mistakes from suspected fraud.
Next spring, another highly anticipated ACH change will occur. A new Same Day ACH processing window deadline of 4:45 p.m. goes live on March 19, 2021, which will expand access to same-day processing, especially beneficial to financial institutions in the Central, Mountain, and Pacific Time zones.
ACH was the very first payments system I studied, and I've been an ACH cheerleader ever since. I'm very excited for all the changes that are in play. And while my family and friends—well, most people for that matter—don't exactly celebrate the innovation wins with me, my payments teammates know how much work goes on around the ACH network to continue to make forward progress.
September 21, 2020
Personal Responsibility for Irrevocable Payment Scams
Those who have experience with parenting know that with many joys come challenges. For me, one of those challenges is teaching my children the importance of personal responsibility. Picking up after themselves, making sure their chores are finished before running out the door to play, and owning up to mistakes are just some of the personal responsibilities that they struggle with daily. And while there is a light at the end of the tunnel for this struggle, I firmly believe it is their having to experience the consequences that is getting us there. In this parent's opinion, knowing there are consequences for their actions helps children become responsible.
You might be thinking, "What does this notion of teaching personal responsibility have to do with payments?" Earlier this year, my colleague Dave Lott started the dialogue among those of us at the Risk Forum, and perhaps within some of our readers' circles, when in a post he posed the question "What is the likelihood that similar protections will be extended to consumers here (United States)?" The post was related to the extension of consumer protections in the United Kingdom to combat its growing problem of authorized push payment (APP) fraud.
In August, a UK-based consumer advocate organization called Which? released a research report based on the experiences of 150 consumers related to the Contingent Reimbursement Model (CRM) Code adopted by many financial institutions in the United Kingdom in 2019. The CRM Code has two primary goals: to reduce the occurrence of APP fraud and, for the fraud that occurs, to reduce the impact. Many of these scam payments in the United Kingdom are occurring on their faster payments rail, which was designed to make payments immediate and irrevocable. The report concluded that consumers' experiences with reimbursement for APP scams were mixed. Some consumers were reimbursed by their financial institution after authorizing payments to scammers while others were unable to receive any reimbursements.
The primary payment instrument in the United States today for large-scale corporate APP scams is wire. For consumers, person-to-person (P2P) services such as CashApp, Venmo, and Zelle are being used to scam individuals out of money. All these payments, both business and consumer, are irrevocable. Once the payments leave their accounts, neither the financial institution nor service provider has liability. But should individuals in the United States, like those in the United Kingdom, be afforded protections for these wire and P2P payments if they're scammed? And should these protections also apply to newer real-time payment schemes here in the United States?
My personal belief is that financial institutions or P2P services should not be responsible for people who fall victim to APP scams. Their responsibility should be limited to educating their customers on the rules around these payments and their finality when executed. APP scams are often the result of social engineering campaigns, and I am of the thought that, just as I expect my children to accept personal responsibility for their mistakes, it's fair for consumers to accept their responsibility for making sure they do not become the next social engineering victim. Do you think this is a reasonable approach to these scams and payments? Or should the United States banking industry and regulators move toward a model like the United Kingdom has in place?
August 17, 2020
Executive Spoofing Hits Close to Home
Sitting around a table outdoors, physical distancing with my family, the conversation turns to executive spoofing scams at work.
- Millennial works at a factory automation start- up: "Yeah, right. The CEO is sending me an email [snicker]."
- Millennial working in government contracting: "I get them all the time, sometimes from the CFO."
- Boomer works in software industry: "We got a warning just the other day that one is floating around. Don't send money."
We are talking about three businesses with employees numbered in the low hundreds. All privately held. Small fry, really. Every one of my family considers executive spoofing via phishing to be an everyday, ho-hum event.
Everyday, yes. Ho-hum, not so much. The FBI reports that 114,702 victims of phishing and its cousins vishing, pharming, and smishing lost almost $60 billion in 2019. Phishing is executed via email; vishing, via phone call or voicemail; pharming, via bogus websites; and smishing, via text message. Perpetrators request personal information or money. In addition, business email compromise (BEC), the foundational criminal act for executive spoofing of the sort my family members describe, resulted in more than $1.7 billion in losses related to 24,000 incidents in 2019, reports the FBI. The Association for Financial Professionals (AFP), in a survey of Treasury and finance professionals, found that BEC was the source of six in 10 fraud attempts in 2020.
A number of vendors offer products that use machine learning to fight these forms of fraud. Machine learning holds promise for automatically detecting these attacks. Nevertheless, as with much automation, the human being is the important last line of defense. A few days after that family meal, I see a scam alert. The gist: never, never, never will the Atlanta Fed president text me with a request to purchase $500 in gift cards.
The late Intel CEO Andy Grove said it perfectly: "Success breeds complacency. Complacency breeds failure. Only the paranoid survive." So please don't be ho-hum or complacent about these attacks and warn your family members and others.