Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources for help navigating through these uncertain times. Also listen to our special Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

September 3, 2019

Is Friction in Payments Always Bad?

Numerous posts in this blog have noted the conventional wisdom that the less friction there is for a consumer in making a payment, the likelier it is that the consumer will have a good experience. Merchants, especially ecommerce retailers, point to studies consistently showing that when customers are required, for stronger authentication, to enter more information than they're used to during a payment, the cart abandonment rate increases and merchants lose sales. I have learned from my own conversations with merchants that some have backed away from adding more risk management tools because they would rather take the financial loss from a fraudulent transaction than discourage an otherwise legitimate sale. This balancing act between reducing friction for the customer and reducing fraud risk to the merchant or payment card issuer is a constant challenge.

Many merchants have incorporated mobile devices' biometric authentication features into their mobile apps to keep the customer from having to provide additional authentication data. Some other vendors have recently developed risk mitigation and authentication tools that work completely in the background and give them more confidence that the individual conducting the transaction is legitimate. These tools range from behavioral analytics that rely on patterns of previous transactions—whether they're based on a specific customer or on a group of customers with a similar profile—to electronic device information, called device fingerprinting, that validates that the device being used is actually the customer's. The customer is unaware that these tools are being used, so experiences lower friction.

A new term being used for what is regarded as an improved payment experience is the invisible payment transaction. This happens when a payment is triggered automatically without any customer intervention at the time of the transaction. The best examples of invisible transactions are in the sectors of subscription or card-on-file services. Subscription services include any service where the customer has provided, for example, a payment card or deposit account for a transaction and authorized the merchant or service provider to make future payments using that account. Online retailers, rideshare services, and recurring payments for health clubs, parking garages, utility companies, and charitable organizations are all types of businesses that use subscription services. A relatively recent entrant in the invisible payment segment is the computer/camera monitored shopping experience at some retailers.

So do invisible payments mean we've achieved nirvana? While they certainly provide the lowest level of customer interaction, they also have some possible disadvantages. Consumer advocates are concerned about the impact such payments might have on an individual's budget management. What if they forget about a subscription payment, and when it's deducted from their account, it creates an overdraft or insufficient funds return? Will invisible payments result in increased spending by the consumer? And then there is the bother of updating a bunch of subscriptions if the consumer changes the funding account.

While research has shown that consumers see convenience as a positive factor, they also want to be confident that there is a security process that will make them less likely to be victims of fraud. Will we ever reach the place of total payments peace and happiness with the right balance of security and convenience? Please let us know what you think.

November 5, 2018

Organizational Muscle Memory and the Right of Boom

"Left of boom" is a military term that refers to crisis prevention and training. The idea is that resources are focused on preparing soldiers to prevent an explosion or crisis—the "boom!" The training they undergo in left of boom also helps the soldiers commit their response to a crisis, if it does happen, to muscle memory, so they will act quickly and efficiently in life-threatening situations.

Image-one

The concept of the boom timeline has been applied to many other circumstances, as I can personally attest. More years ago than I will admit to, I was a teller and had to participate in quarterly bank-robbery training that focused on each employee's role during and immediately after a robbery. The goal was to help us commit these procedures to muscle memory so that when we were faced with a high-stress situation, our actions would be second nature. My training was tested one day when I came face-to-face with a motorcycle-helmet-wearing bank robber who leaped over the counter into the teller area. Like most bank robbers, he was in and out fast, but thanks to muscle memory, we were springing into action as soon as he was leaping back over the counter and running out of the branch.

This type of muscle memory preparation has also been applied to cybersecurity. Organizations commit significant human and capital resources to the left of boom to help prevent and detect threats to their networks. Unfortunately, cybersecurity experts must get things right 100 percent of the time while bad actors have to be right only once. So how do organizations prepare for the right of boom?

Recently, I had the opportunity to observe a right-of-boom exercise that simulated a systemic cyberbreach of the payments system. This event, billed as the first of its kind, was sponsored by P20 and held in Cambridge, Massachusetts. Cybersecurity leaders from the payments industry convened to engage in a war games exercise that was ripped from the headlines. The scenario: a Thanksgiving Day cyberbreach, the day before the biggest shopping day of the year, of a multinational financial services company that included the theft and online posting of 75 million customer records, along with a ransomware attack that shut down the company's computer systems. The exercise began with a phone call from a reporter asking for the company's response to the posting of customer records online—BOOM! Immediately, the discussion turned to an incident response plan. What actions would be taken first? Who do you call? How do you communicate with employees if your system has been overtaken by a ransomware attack? How do you serve your customers? What point is the "in case of fire break glass" moment, meaning, has your organization defined what constitutes a crisis and agreed on when to initiate the crisis response plan?

An overarching theme was the importance of the "commander's intent," which reflects the priorities of the organization in the event of an incident. It empowers employees to exercise "disciplined initiative" and "accept prudent risk"—both principles associated with the military philosophy of "mission command"—so the company can return to its primary business as quickly as possible. In the context of a cyberbreach that has shut down communication channels within an organization, employees, in the absence of management guidance, can analyze the situation, make decisions, and then take action. The commander's intent forms the basis of an organization's comprehensive incident response plan and helps to create a shared understanding of organizational goals by identifying the key things your organization must execute to maintain operations.

Here is an example of a commander's intent statement:

Process all deposits and electronic transactions to ensure funds availability for all customers within established regulatory timeframes.

Having a plan in place where everyone from the top of the organization down understands their role and then practicing that plan until it becomes rote, much like my bank robbery experience, is critical today.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed

 

September 10, 2018

The Case of the Disappearing ATM

The longtime distribution goal of a major soft drink company is to have their product "within an arm's reach of desire." This goal might also be applied to ATMs—the United States has one of the highest concentration of ATMs per adult. In a recent post, I highlighted some of the findings from an ATM locational study conducted by a team of economics professors from the University of North Florida. Among their findings, for example, was that of the approximately 470,000 ATMs and cash dispensers in the United States, about 59 percent have been placed and are operated by independent entrepreneurs. Further, these independently owned ATMs "tend to be located in areas with less population, lower population density, lower median and average income (household and disposable), lower labor force participation rate, less college-educated population, higher unemployment rate, and lower home values."

This finding directly relates to the issue of financial inclusion, an issue that is a concern of the Federal Reserve's. A 2016 study by Accenture pointed "to the ATM as one of the most important channels, which can be leveraged for the provision of basic financial services to the underserved." I think most would agree that the majority of the unbanked and underbanked population is likely to reside in the demographic areas described above. One could conclude that the independent ATM operators are fulfilling a demand of people in these areas for access to cash, their primary method of payment.

Unfortunately for these communities, a number of independent operators are having to shut down and remove their ATMs because their banking relationships are being terminated. These closures started in late 2014, but a larger wave of account closures has been occurring over the last several months. In many cases, the operators are given no reason for the sudden termination. Some operators believe their settlement bank views them as a high-risk business related to money laundering, since the primary product of the ATM is cash. Financial institutions may incorrectly group these operators with money service businesses (MSB), even though state regulators do not consider them to be MSBs. Earlier this year, the U.S. House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing over concerns that this de-risking could be blocking consumers' (and small businesses') access to financial products and services. You can watch the hearing on video (the hearing actually begins at 16:40).

While a financial institution should certainly monitor its customer accounts to ensure compliance with its risk tolerance and compliance policies, we have to ask if the independent ATM operators are being painted with a risk brush that is too broad. The reality is that it is extremely difficult for an ATM operator to funnel "dirty money" through an ATM. First, to gain access to the various ATM networks, the operator has to be sponsored by a financial institution (FI). In the sponsorship process, the FI rigorously reviews the operator's financial stability and other business operations as well as compliance with BSA/AML because the FI sponsor is ultimately responsible for any network violations. Second, the networks handling the transaction are completely independent from the ATM owners. They produce financial reports that show the amount of funds that an ATM dispenses in any given period and generate the settlement transactions. These networks maintain controls that clearly document the funds flowing through the ATM, and a review of the settlement account activity would quickly identify any suspicious activity.

The industry groups representing the independent ATM operators appear to have gained a sympathetic ear from legislators and, to some degree, regulators. But the sympathy hasn't extended to those financial institutions that are accelerating account closures in some areas. We will continue to monitor this issue and report any major developments. Please let us know your thoughts.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 4, 2018

The First Step in Risk Management

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

Chart-image

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

There are more than 250 different security frameworks globally. Examples include the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the Capability Maturity Model Integration (CMMI)®, and the Center for Information Security's Critical Security Controls. (In addition, many industries have industry-specific standards and laws, such as health care's HIPAA, created by the Health Insurance Portability and Accountability Act.) Each framework is essentially a set of best practices that enables organizations to improve performance, important capabilities, and critical business processes surrounding information technology security.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

So, outside of complying with legal and regulatory requirements, how do you determine which framework or frameworks to adopt?

It depends! A Tenable Network Security report, Trends in Security Framework Adoption, provides insight into commonly adopted frameworks as well as the reasons companies have adopted them and how fully. Typically, organizations first consider security frameworks that have a strong reputation in their industries or for specific activities. They then look at compliance with regulations or mandates made by business relationships.

This chart shows reasons organizations have adopted the popular NIST Cybersecurity Framework.

Improving-critical-infrasture-cybersecurity-graph

The study found that there is no single security framework that the majority of companies use. Only 40 percent of respondents reported using a single security framework; many reported plans to adopt additional frameworks in the short term. Close to half of organizations (44 percent) reported they are using multiple frameworks in their security program; 15 percent of these are using three or more.

This year, the Federal Reserve System's Secure Payments Taskforce released Payment Lifecycles and Security Profiles, an informative resource that provides an overview of payments. Each payment type accompanies a list of applicable legal, regulatory, and industry-specific standards or frameworks. Spoiler alert: the lists are long and complex!

Let me point out a subsection appearing with each payment type that is of particular interest to this blog: "Challenges and Improvement Opportunities." Scroll through these subsections to see specific examples calling for more work on standards or frameworks.

Organizations need choices. But having too many frameworks to choose from, coupled with their constantly changing nature and the fluid payments environment, can complicate the implementation of a risk management strategy. With so many choices and so much in flux, how did you manage with step one of your risk management strategy?

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Take On Payments Search


Recent Posts


Categories