Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

November 18, 2019

Will Payments Be Getting REAL?

When someone tells you to "get real," they mean you'd better understand the true facts of a situation. Well, you better get REAL if you want to enter a federal building or fly on a commercial aircraft after October 1, 2020. Unusual for such major federal legislation, the REAL in the REAL ID Act of 2005 isn't an acronym but an all-caps word intended to emphasize that states must adopt minimum federal standards for the documents required to obtain a driver's license or state-issued ID card. The act also prohibits federal agencies from accepting noncompliant IDs for any type of official business.

The good news is that most states have been issuing driver's licenses and ID cards that for a number of years have complied with the REAL ID Act, so more than likely your ID is already compliant. How can you tell? Look for a gold or black star in the upper right corner of your card. In my state, the Georgia Department of Motor Vehicles has been issuing compliant licenses and cards since July 1, 2012, and estimates that more than 96 percent of registered Georgia driversOff-site link have a compliant license. However, three states—New Jersey, Oklahoma, and Oregon—only came into compliance in early October after being granted a number of extensions.

state of Georgia sample driver's license that is compliant with REALIDSo much time—15 years—has passed between passage of the act and the final compliance deadline because 25 states mounted legal challenges to the act's constitutionality, often claiming that it was essentially establishing a national ID card or abridging state's rights. These challenges were all defeated, but the Department of Homeland Security was required to announce a number of compliance extensions to give the states time to change their processes.

In reality, you do not have to have REAL ID-compliant identification to access federal services or commercial flights. A passport will suffice, although I think a state-issued license or ID card is more convenient. The REAL ID, however, does not substitute for a passport for international travel.

This websiteOff-site link has a great deal of background and interesting information about the REAL ID program and the states' implementation. You can also find READ ID information on the websites of most state motor vehicle departments.

You might ask: so what? What does this change have to do with payments and risk? While the REAL ID Act technically affects only a citizen's interactions with federal agencies, it's quite possible that financial institutions will begin requiring a compliant driver's license or ID card as an acceptable form of documentation in compliance with their Customer Identification Program.

Are you ready? Get REAL!

September 23, 2019

Designing Disclosures to Be Read

Have you ever wondered if consumers actually look at disclosures for payment services? And if they do look at them, how much time do you think they spend reading them? If the average adult reads around 250 words per minute and a disclosure page contains 1,000 words—likely a low estimate—then a consumer would spend four minutes on the page before clicking accept or reject. I am confident that a more realistic estimate of time consumers spend on these pages falls far short of the time required to read the legally required consumer protection information. How many of us just click on the "I Accept" button without reading the disclosure? Maybe it's time to come up with a better way to disclose.

I believe that disclosures are one of the more dreaded elements in designing, launching, and managing financial services. If you haven't experienced the dread first hand, you can find evidence of it in the countless comment letters submitted by payments stakeholders and posted to the Federal Register when a proposed rule could affect disclosure terms. The work and expense of delivering disclosures at precisely the time required by law are completely wasted when consumers fail to read them.

The goal of disclosures is to educate consumers on a product's terms and conditions, to define their responsibilities, and to ultimately protect them from financial harm or surprises. With this information, consumers can make informed decisions. We should hope consumers comprehend and retain the critical information provided.

Opportunities exist to present important consumer protection information in ways that are far more easily digestible than a thousand-word disclosure in a four-point font. For instance, a gamification model could ask the consumer direct questions related to fees in pop-up windows with animated visual representations of the scenarios. You can brainstorm to come up with messages, jotting down quick ideas—for example, "You chose instant transfer, the fee is $1, Accept or Decline." Or, "Help us monitor your transactions daily, instant transfers will be $0, Accept or Decline." A large font and short words can quickly articulate the key points and big risks. Moreover, building the disclosure logic into the technology better protects the consumer.

Here's some good news—you now have the support of the Consumer Financial Protection Bureau (CFPB) to test your innovative solutions in making disclosures likelier to achieve their aim. The CFPB's Office of Innovation recently issued new policies to encourage innovation. For example, the office instituted a trial disclosure program and has committed to granting or denying applications for these trials within 60 days of submission. Accepted applicants will have up to two years to test their disclosures. They will also have access to state and global regulators through the CFPB's affiliation with the Federal Financial Institutions Examination Council, the Global Financial Innovation Network, and the newly formed American Consumer Financial Innovation Network.

Applicants and disclosures need not be company- or product-specific, although that is an option. Service providers, trade associations, consumer groups, or other third parties may also use the trial application program. Group applications could help spread trial disclosure development costs such that smaller entities would be able to afford to participate in the program. Such intention has been evidenced in the CFPB's Office of Innovation's first "No-Action Letter," issued to more than 1,600 HUD housing counseling agencies, stating that it will not take enforcement action with agencies that enter into "certain fee-for-service arrangements with lenders for pre-purchase housing counseling services."

Have you considered redesigning a payment product or service disclosure that consumers will be likelier to read? Apply to test it , and good luck!

September 3, 2019

Is Friction in Payments Always Bad?

Numerous posts in this blog have noted the conventional wisdom that the less friction there is for a consumer in making a payment, the likelier it is that the consumer will have a good experience. Merchants, especially ecommerce retailers, point to studies consistently showing that when customers are required, for stronger authentication, to enter more information than they're used to during a payment, the cart abandonment rate increases and merchants lose sales. I have learned from my own conversations with merchants that some have backed away from adding more risk management tools because they would rather take the financial loss from a fraudulent transaction than discourage an otherwise legitimate sale. This balancing act between reducing friction for the customer and reducing fraud risk to the merchant or payment card issuer is a constant challenge.

Many merchants have incorporated mobile devices' biometric authentication features into their mobile apps to keep the customer from having to provide additional authentication data. Some other vendors have recently developed risk mitigation and authentication tools that work completely in the background and give them more confidence that the individual conducting the transaction is legitimate. These tools range from behavioral analytics that rely on patterns of previous transactions—whether they're based on a specific customer or on a group of customers with a similar profile—to electronic device information, called device fingerprinting, that validates that the device being used is actually the customer's. The customer is unaware that these tools are being used, so experiences lower friction.

A new term being used for what is regarded as an improved payment experience is the invisible payment transaction. This happens when a payment is triggered automatically without any customer intervention at the time of the transaction. The best examples of invisible transactions are in the sectors of subscription or card-on-file services. Subscription services include any service where the customer has provided, for example, a payment card or deposit account for a transaction and authorized the merchant or service provider to make future payments using that account. Online retailers, rideshare services, and recurring payments for health clubs, parking garages, utility companies, and charitable organizations are all types of businesses that use subscription services. A relatively recent entrant in the invisible payment segment is the computer/camera monitored shopping experience at some retailers.

So do invisible payments mean we've achieved nirvana? While they certainly provide the lowest level of customer interaction, they also have some possible disadvantages. Consumer advocates are concerned about the impact such payments might have on an individual's budget management. What if they forget about a subscription payment, and when it's deducted from their account, it creates an overdraft or insufficient funds return? Will invisible payments result in increased spending by the consumer? And then there is the bother of updating a bunch of subscriptions if the consumer changes the funding account.

While research has shown that consumers see convenience as a positive factor, they also want to be confident that there is a security process that will make them less likely to be victims of fraud. Will we ever reach the place of total payments peace and happiness with the right balance of security and convenience? Please let us know what you think.

August 19, 2019

Why Should You Care about PSD2?

The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.

The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.

Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:

  • Something you know (for example, PIN or password)
  • Something you have (for example, chip card, mobile phone, or hardware token)
  • Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)

PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.

The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:

  • Low-value transactions (under €30, approximately $33)
  • Transactions with businesses that the consumer identifies as trusted
  • Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
  • "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
  • Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
  • Business-to-business (B2B) payments

Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.