Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?
March 28, 2011
The nitty gritty of money transfer operators (MTOs)
When a friend of mine was travelling across Cambodia last year, he had a common, yet frightening, experience of the solo voyager: his wallet was stolen. Luckily, despite the seeming remoteness of his beach vacation, there were several Western Union agents in Sihanouk Ville. His parents were able to send him enough cash to finish out his trip. While losing his identification was still stomach-gnawing, he at least had the money to pay for lodging, food, and transportation. The global reach of money transmitters offers a clear value to travelers and migrants, but may also be valued by those wishing to exploit the companies for more nefarious purposes.
The reach of MTOs across the globe is a remarkable business accomplishment. Western Union or MoneyGram agents can be in from the smallest American town to the remotest corners of the globe. Western Union currently boasts 445,000 locations worldwide, and MoneyGram offers another 227,000. This already expansive agent network is quickly growing, with Western Union adding 150,000 locations since 2007. These MTOs serve the financial needs primarily of migrants—a significant portion of the worldwide population—offering not only money transfers but also ancillary services like prepaid cards, money orders, and walk-in bill payment. Immigrants in any given country are often unbanked or underbanked, yet often need to send cash remittances to family back home. MTOs are able to charge a premium for services that customers see as reliable, fast, and private.
But how exactly are these international money transfers executed? In Western Union's case, agents take cash from remitters and enter confirmation of cash receipt into Western Union's messaging system. The agents also collect data on both the sender and recipient. On the receiving end, the recipient in most cases presents photo identification at his or her local agent to pick up the cash. Western Union net settles with agents at the end of the day via ACH, if that service is available in the country, or by wire otherwise. Western Union has some intraday credit exposure to the transaction, as they commit to reimbursing the receiving agent regardless of the sender's solvency at the end of the day. Therefore, a Western Union transfer consists of three different streams: the flow of information between the sending and receiving agents via their messaging system, the separate communication between sending and receiving customers, and the final flow of funds between Western Union and the agents. MoneyGram's system operates similarly, but typically at a somewhat lower price point.
What are the risks?
The primary concern of regulators and law enforcement vis-à-vis MTOs is the risk of illicit use—bad actors taking advantage of these global networks to launder money and finance terrorism. Unlike banks that establish long-term account relationships with their clients, MTOs offer one-off transactions with more limited customer data. Consequently, MTOs may lack the relationship-level depth of customer data that banks have access to for risk mitigation purposes. Western Union has proactively led anti-money laundering (AML) compliance efforts in response to such fears. In 2010 testimony to Congress, Western Union reported spending more than $35 million annually on AML compliance. Although MTOs are global in scope, regulatory oversight is inherently limited to specific jurisdictions, and therefore the firms must interact with many different regulators and law enforcement agencies. MTOs currently operate under a complex structure of state, federal, and foreign regulation. Western Union has advocated for more consolidated regulation at the federal level, which may be in the cards, as the new Consumer Financial Protection Bureau (CFPB) will have jurisdiction over MTOs. Of greater concern may be unregistered MTOs, which operate outside the rule of law, and against whom FinCEN regularly brings enforcement.
Another concern facing MTO regulators is fraud. Social engineers sometimes use MTOs to try to part victims from their money. For example, a scam artist might convince a victim that he or she has won a cash prize but must first send a money transfer to cover the taxes before collecting the winnings. Of course, after the target sends the irreversible transfer, he or she never sees any winnings. We have previously covered MoneyGram's remedial efforts in this area, and Western Union calls out this risk as a special concern in their annual report:
The remittance industry has come under increasing scrutiny from government regulators and others in connection with its ability to prevent its services from being abused by people seeking to defraud others.... [T]he ingenuity of criminal fraudsters, combined with the potential susceptibility to fraud by consumers during economically difficult times, make the prevention of consumer fraud a significant and challenging problem. (p. 27)
The global ubiquity that lies at the heart of MTOs' value proposition is also a key risk factor for illicit use and fraud, as criminals may leverage the systems to divert illicit gains outside the jurisdiction of their crimes. While some companies have recognized this risk and actively worked to mitigate it, others may need regulatory encouragement. How can we most effectively monitor such expansive entities? How can industry and regulators better collaborate to bring unregistered MTOs into compliance with existing laws? These questions will be increasingly important as the CFPB moves to more rationally and comprehensively supervise this dynamic industry.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
May 24, 2010
Bank revenues and fraud detection: A marriage made in heaven?
Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.
The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.
Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.
The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.
Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud