Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

September 30, 2013

Securing All the Links in the Chain: Third-Party Payment Processors

Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).

The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.

Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.

Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.

A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.

Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.

Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.

We would like to hear what processes your institution has in place to monitor processors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013

Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 1, 2012

Summer Is Gone, but ACH Fraud Remains

As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.

In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.

Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:

  • ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
  • ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
  • RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
  • RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
  • RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.

In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.

The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 16, 2012

Online and mobile banking create many front doors

"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.

An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.

The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.

Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.

Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.

Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.

Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.

Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.

Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.

With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.

Mary KeplerBy Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed

Take On Payments Search

Recent Posts