Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
February 10, 2020
Slowing Down the Mule Train
Slowing down the money mule train, that is. Money mules are those individuals who transfer money or goods received through fraudulent schemes on behalf of or at the direction of a criminal enterprise, often based outside the United States. It's a form of money laundering.
In December 2019, the FBI announced it was collaborating with other domestic and international law enforcement agencies to identify, stop, and prosecute major money mule networks. Two months later, it claimed that the operation had stopped the illegal actions of more than 600 domestic money mules—a 50 percent increase in their success rate over the entire previous year. (The U.S. efforts coincided with the European Money Mule Action, led by Europol, the European Union's agency that combats crime and terrorism.)
So who are these money mules and how are they recruited? The money mules fall into two main groups: innocent participants and those people who are as criminal as the leaders of the fraud schemes. It's the money mules who take the greatest risk; the leaders of the schemes use them to insulate themselves from arrest and prosecution.
The first group, the naïve participants, are generally recruited through online ads, résumés submitted to mainstream job search sites, or emails promising work-from-home employment as a "payment processing" or "money transfer" agent. Upon being "hired," these people must provide their bank account information so that deposits can be made to their accounts. If the victims say they want to open a new account to process these transactions, the contact dissuades them from doing so because new accounts face additional scrutiny and restrictions. When a deposit is made, a mule has to transfer those funds, minus the "commission," to another bank account. That account is usually outside the United States so the transfer occurs through an international money transfer service. The mule might also be asked to purchase gift cards, load funds onto them, and then provide the card numbers and PINs to the contact. Individual transactions are generally under $10,000 to avoid the filing of currency transaction reports or suspicious activity reports.
Sometimes truly innocent participants are caught in a "cuckoo smurfing" scheme. In this scenario, someone's bank account credentials are compromised without that person's knowledge. The criminal deposits or transfers money into the account and quickly moves it over to another account. The innocent participant isn't aware of this transaction until he or she checks the account.
However, the vast majority of money mules are people who clearly know they are acting illegally. They are often part of local, national, or international gangs, and use the proceeds of money mule activities to fund other criminal activities.
While there have been a number of enforcement successes, including the effort announced by the FBI, the constant attention being given to this problem indicates it persists. Hats off to all the various law enforcement agencies involved in this money mule crackdown. Hopefully, the increased publicity will prevent individuals from unknowingly becoming part of these networks as well as highlight the scams used to victimize others. What other actions do you think will help curb this type of crime?
February 3, 2020
Fuel Pump EMV Chip Liability Shift Looms Large
It has been quite some time since the Retail Payments Risk Forum has blogged about the state of the EMV chip in the United States. Perhaps the lack of coverage is a nod to the success and growth of EMV chip issuance and acceptance since the point-of-sale (POS) and ATM liability shifts that began in 2015 and 2016, respectively. The Federal Reserve's newly released payments study found that 57 percent of in-person card payments in 2018 used chip authentication compared to 2 percent in 2015. Talk about phenomenal progress over a three-year period! Yet there is more to do, and 2020 will be a big year for closing a big gap—EMV chip acceptance at the fuel pump, or what the industry generally calls automated fuel dispensers (AFDs).
In October, all of the global card networks' liability shifts will be implemented for AFDs. As a brief reminder, this liability shift means that petrol retailers will now be responsible for incurring the fraud losses on all non-EMV-chip-authenticated transactions initiated by EMV cards at their pumps. According to several industry associations that represent the convenience and petroleum store industry, this liability shift date will be a challenge for many station operators to meet given a limited availability of EMV-compatible AFDs as well as the technicians to install and certify the machines as EMV ready.
Through the years, the Risk Forum has stressed that criminals tend to gravitate to the easy targets when it comes to committing card fraud, or really any fraud in general. Card skimmers at AFDs pulling data off a card's magnetic stripe have been a major problem for decades. I have no doubt that the fraudsters are fully aware of the impending liability shift and will be stepping up their AFDs attacks in 2020 before the window of counterfeit card opportunity closes. Those retailers who are delaying their EMV migration or are unable to migrate by the liability shift date will become giant bulls' eyes. Expected card fraud losses in 2020 for the industry are not inconsequential—one industry association has estimated losses of $451 million. I should also note that the costs faced by the industry to migrate to EMV are also significant, at an estimated $3.9 billion.
After witnessing the successful rush by the industry to implement EMV chip at the POS and ATM, I am confident that the AFD EMV chip implementation ahead of the October liability shift will be a success, but all involved will definitely experience challenges. My confidence stems from the positive momentum I have seen from everyone involved in the payments industry working together for the common good to mitigate card fraud. With counterfeit card fraud losses through June 2019 down by over 60 percent since September 2015, I look forward to seeing even more decreases in counterfeit card fraud following this year's AFD liability shift.
January 20, 2020
We're Number 1! But Why?
A new paper from the Kansas City Fed asks the question, why are U.S. card fraud rates higher than those of other developed countries? Economist Fumiko Hayashi found that even after EMV migration in 2015, the U.S. had a significantly higher in-person card fraud rate than did Australia, France, and the United Kingdom. In all three years studied—2012, 2015, and 2016—the U.S. in-person fraud rate was more than three times higher than that of the other countries (see the chart).
She attributes these differences to three factors:
- The United States had a smaller share of chip transactions. EMV migration in the United States didn't really begin until 2015, compared to years (even decades) earlier for the other countries. According to the Federal Reserve Payments Study, 2 percent of in-person general-purpose card payments used chip authentication in 2015; that share increased to 57 percent in 2018.
- The other three countries use the multi-factor chip-and-PIN verification, which is a stronger method than what U.S. networks use: most chip transactions are chip only. For in-person general-purpose card payments in the United States in 2018, the Federal Reserve Payments Study found that 21 percent (17.8 billion payments) used chip-and-PIN.
- U.S. cardholders are more likely to use credit cards, which typically have higher fraud rates than debit cards.
Hayashi's paper gives a snapshot of the four countries at three points in time. Another approach to doing a country-to-country comparison would be to make a moving picture depicting the aftermath of the adoption of EMV chips for in-person payments. My Retail Payments Risk Forum colleague Doug King, in a paper published in June 2019, looked at the change in in-person fraud for Australia, France, and the United Kingdom and found that fraud rates for in-person transactions dropped after chip-and-PIN implementation. You can see in the figure above that U.S. in-person card fraud rates declined from 2015 to 2016, over the time of EMV implementation here.
Keep in mind that this post is a simplification of two complex papers. For example, Hayashi also analyzed remote card fraud rates. And Doug included some data from other nations. If you want more information, the Federal Reserve Payments Study has reported details on fraud for noncash payments in the United States, cards included, and also authorization methods for in-person general-purpose card payments (see figure 6 in the 2019 Federal Reserve Payments Study). I invite you to read these reports.
December 9, 2019
Payments in Review: A Webinar
Whether you are out dipping your payment card at a store, waiting in line behind a check writer, trying to look like you're working while you shop online for last-minute gifts using your digital wallet, or just always looking for more information about payments, grab your headphones for the last Talk About Payments webinar of 2019. On December 19, the Retail Payments Risk Forum team continues its tradition of discussing what we consider to be the significant payments events and issues of the year. We invite financial institutions, retailers, payments processors, law enforcement officials, academics, and other payments system stakeholders to participate.
The webinar 2019: Payments in Review features a live roundtable discussion with payments risk experts Doug King, Dave Lott, and Jessica Washington. You will be able to see how your reflections on 2019 payment events compare to the Risk Forum's perspectives and reflections on the year. To liven up the party, polling questions and real-time questions and comments will let you engage with the speakers.
Last year ended with increasing momentum in technology research and development—distributed ledger technology, contactless, machine learning—which continued into 2019, mixed with the some of the largest fintech mergers and acquisitions the industry has seen. Faster payments started taking new forms with added interest from industry stakeholders. The fight against payments fraud also changed shape during 2019, with some new collaborations and methods worth mentioning. Fintech is surely to be discussed along with other topics such as the proliferation of digital payment methods versus the state of cash.
Find out what you might need to consider as you promote safer payments innovation in the coming year.
The webinar will happen on Thursday, December 19, from 1 to 2 p.m. (ET). Participation is free, but you must register in advance. Once you register, you will receive a confirmation email with the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks after the event.
We look forward to you joining us on December 19 and sharing your perspectives on the payment events that took place in 2019.