Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

March 30, 2020

Do We Use a Payments Risk Thermostat?

I read a blog post last week that is eerily evocative of the individual actions we take—or don't take—to protect our personal and payments information. You can read it here: Handwashing Can Stop a Virus—So Why Don't We Do it?Off-site link

The blogger identifies some reasons we don't wash our hands as much—or as thoroughly—as we should, including lack of awareness and inconvenience.

  • We are not aware that hand washing is so effective.
  • We balk at the least inconvenience or practical barriers—for example, having to take a few extra steps to get to the soap and water.

Sounds a lot like the reasons people may cut corners on payments security. For example, people may not be aware of the efficacy of credit freezes, or they might find imposing them to be inconvenient. People may not be aware that it is not optimal to use the same password for multiple accounts, or they may consider it to be inconvenient to set up different passwords.

I think this paper positing a "risk thermostatOff-site link" applies not only to handwashing but also to payments security. We use our risk thermostats to make tradeoffs, so taking one kind of preventive measure could increase our willingness to accept more risk in another way. The author writes: "individual risk taking decisions represent a balancing act in which perceptions of risk are weighed against propensity to take risk."

So, for example, maybe you start wearing gloves and stop washing your hands so carefully. (Don't do that, please.) Or maybe you put a credit freeze on your accounts at the major credit bureaus and stop watching your bank and card statements so carefully. (Don't do that, either.)

As these writers on behavioral science note, awareness is the first step. So be aware of payments and other financial risks facing your business and your customers during the coronavirus outbreak. Here are some resources you can use to educate your colleagues and customers:

  • U.S. Secret Service Adobe PDF file formatOff-site link: Watch out for phishing scams posing as medical or health providers, charity scams on social media.
  • Federal Trade Commission (FTC)Off-site link: Ignore emails claiming to be from the CDC; ignore online offers for vaccinations.
  • U.S. Securities and Exchange CommissionOff-site link Beware internet and social media promotions claiming that products or services "prevent, detect, or cure coronavirus" and that the stock of providing companies will increase in value.

As of March 16, the FTC and the Food and Drug Administration already have issued warning letters to seven sellers of unapproved and misbranded products.

Best wishes and good health to you and your families. Now, go wash your hands. And check your bank account when you're done.

September 4, 2018

The First Step in Risk Management

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

Chart-image

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

There are more than 250 different security frameworks globally. Examples include the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the Capability Maturity Model Integration (CMMI)®, and the Center for Information Security's Critical Security Controls. (In addition, many industries have industry-specific standards and laws, such as health care's HIPAA, created by the Health Insurance Portability and Accountability Act.) Each framework is essentially a set of best practices that enables organizations to improve performance, important capabilities, and critical business processes surrounding information technology security.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

So, outside of complying with legal and regulatory requirements, how do you determine which framework or frameworks to adopt?

It depends! A Tenable Network Security report, Trends in Security Framework Adoption, provides insight into commonly adopted frameworks as well as the reasons companies have adopted them and how fully. Typically, organizations first consider security frameworks that have a strong reputation in their industries or for specific activities. They then look at compliance with regulations or mandates made by business relationships.

This chart shows reasons organizations have adopted the popular NIST Cybersecurity Framework.

Improving-critical-infrasture-cybersecurity-graph

The study found that there is no single security framework that the majority of companies use. Only 40 percent of respondents reported using a single security framework; many reported plans to adopt additional frameworks in the short term. Close to half of organizations (44 percent) reported they are using multiple frameworks in their security program; 15 percent of these are using three or more.

This year, the Federal Reserve System's Secure Payments Taskforce released Payment Lifecycles and Security Profiles, an informative resource that provides an overview of payments. Each payment type accompanies a list of applicable legal, regulatory, and industry-specific standards or frameworks. Spoiler alert: the lists are long and complex!

Let me point out a subsection appearing with each payment type that is of particular interest to this blog: "Challenges and Improvement Opportunities." Scroll through these subsections to see specific examples calling for more work on standards or frameworks.

Organizations need choices. But having too many frameworks to choose from, coupled with their constantly changing nature and the fluid payments environment, can complicate the implementation of a risk management strategy. With so many choices and so much in flux, how did you manage with step one of your risk management strategy?

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 25, 2017

Fed Payments Webinar Series Launching

One of the comments we consistently received when we conducted the Mobile Banking/Payments Survey last fall was the desire for the Atlanta Federal Reserve to provide more educational opportunities on current payment technologies and issues. Not only have small and mid-sized financial institutions expressed this need, but so have consumer advocacy groups and law enforcement agencies. Educational efforts, along with research, on payment risk issues are at the core of the Retail Payments Risk Forum's overall mission.

In response to these requests, the Risk Forum is launching a webinar series called Talk About Payments (TAP). The TAP webinars will supplement this blog, forums and conferences we convene, and other works we publish on the Forum's web pages. The current plan is for the webinars to be presented once a quarter. Financial institutions, retailers, payment processors, law enforcement, academia, and other payment system stakeholders are all welcome to participate in the webinars. Participants can submit questions during the event.

We will have our first webinar—titled "How Safe Are Mobile Payments?"—on Thursday, October 5, from 1 to 2 p.m. (ET). The webinar will cover such topics as mcommerce growth, mobile wallets, tokenization, fraud attack points, and risk mitigation tools and tactics.

Participation in the webinar is complimentary, but you must register in advance. To register, go to the TAP webinar web page. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information.

We hope you will join us for our first webinar on October 5, and for our future webinars. If there are any particular topics you would like for us to cover in future webinars, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

September 18, 2017

The Rising Cost of Remittances to Mexico Bucks a Trend

From time to time, I like to look back at previous Risk Forum activities and see what payment topics we've covered and consider whether we should revisit any. In September 2012, the Risk Forum hosted the Symposium on 1073: Exploring the Final Remittance Transfer Rule and Path Forward. Seeing that almost five years have passed since that event, I decided I'd take another, deeper look to better understand some of the effects that Section 1073 of the Dodd-Frank Act has had on remittances since then. I wrote about some of my findings in a paper.

As a result of my deeper look, I found an industry that has been rife with change since the implementation of Section 1073 rules, from both a regulatory and technology perspective. Emerging companies have entered the landscape, new digital products have appeared, and several traditional financial institutions have exited the remittance industry. In the midst of this change, consumers' average cost to send remittances has declined.

Conversely, the cost to send remittances within the largest corridor, United States–Mexico, is rising. The rising cost is not attributable to the direct remittance fee paid to an agent or digital provider but rather to the exchange rate margin, which is the exchange rate markup applied to the consumer's remittance over the interbank exchange rate. As remittances become more digitalized and the role of in-person agents diminishes, I expect the exchange rate margin portion of the total cost of remittance to continue to grow.

Even though the average cost of sending remittances to Mexico is on the rise, I found that consumers have access to a number of low-cost options. The spread between the highest-cost remittance options and the lowest-cost options is significant.

Figure-11

With greater transparency than ever before in the remittance industry, consumers now have the ability to find and use low-cost remittance options across a wide variety of provider types and product options. To read more about the cost and availability of remittances from the United States to Mexico and beyond in a post-1073-rule world, you can find the paper here.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed