Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
December 23, 2019
New Data Posted for Federal Reserve Payments Study
If you're looking for payments reading during the holidays, take a look at a new report, the Federal Reserve Payments Study 2019, which was published last Thursday on the Federal Reserve's website.
The report finds that growth in card and ACH payments has accelerated.Here are some key findings:
- The number of ACH credit and debit transfers grew by 6 percent a year between 2015 and 2018, exceeding the 4.9 percent per year growth rate recorded for the period from 2012 to 2015.
- Debit and credit card payments grew at an accelerated rate of 8.9 percent a year between 2015 and 2018, up from the 6.8 percent yearly rate of increase from 2012 to 2015.
- For general-purpose cards overall, the value of remote payments in 2018 nearly equaled that of in-person payments.
- More than half of in-person general-purpose card payments were chip-authenticated, up from 2 percent in 2015.
- Payments made by check fell 7.2 percent a year from 2015 to 2018.
The 2019 Federal Reserve Payments Study covers card (credit, non-prepaid debit, and prepaid debit), ACH, and check payments and ATM withdrawals. In these days of fintech and new ways to pay with a phone or fingerprint, these core noncash payment types are used not only in traditional ways but also to make possible alternative payment methods and services.
We look forward to continuing the payments conversation with you on January 6, 2020, when I will be challenging you to a game of pay-with-your-phone bingo.
November 25, 2019
We Are Thankful For...
Several years ago, I began the practice of making a list around Thanksgiving of things I am thankful for. I was pondering what I might include on my list this year while I was stuck in traffic behind an awful wreck I was thankful I wasn’t involved in. And then the idea hit me that maybe we at the Risk Forum should create our own list focused on what we are thankful for in payments.
To keep the list at proper blog length, I asked each Risk Forum member to name just one item. Without further ado, the Risk Forum presents to you our 2019 Thanksgiving week "What we are thankful for in payments" list.
- Nancy Donahue, project manager: I’m thankful that my debit card has only been breached once this year and although the criminal lived it up at several fast food restaurants and c-stores, it was less than $100 total and I got my money back!
- Claire Greene, payments risk expert: I am thankful that direct deposit lets me put my finances on autopilot. I’ve split my paycheck into different accounts: one for retirement, one for the mortgage, one for saving, and one for everyday expenses.
- Douglas King, payments risk expert: I am thankful for the ability to pay via self-checkout at my local grocery store and receive cash back when using my debit card.
Pictured from left: Jessica Washington, Douglas King, Nancy Donahue, Dave Lott, Catherine Thaliath, Julius Weyman; Not pictured: Claire Greene
- Dave Lott, payments risk expert: I am thankful for law enforcement and other security professionals who work diligently to protect the integrity of our payments system.
- Catherine Thaliath, project management expert: I am thankful for credit card rewards programs. It is nice to get rewarded with cash back or even a free plane ticket just by using your credit card for everyday purchases!
- Jessica Washington. payments risk expert: I am thankful for payments industry collaboration. This year I have seen improvements in fraud information sharing across stakeholders; partnerships between fintechs, financial institutions, and payment networks to promote financial inclusion; and working groups embracing emerging payment innovations.
- Julius Weyman, vice president and forum director: I am thankful that I can write a check where it makes sense; pay online where it makes sense; get paid via ACH (no choice in that, but wouldn’t choose otherwise); pull bills from a real wallet (not the fake kind) and pay that way, where it makes sense; and use a card (and get rewards), which almost always makes sense and is the one I use the most.
And we are thankful for YOU: our readers of Take On Payments and supporters of the Risk Forum. We sincerely appreciate your comments, kudos, and criticism, and hope that you all find value in the information we provide and share. As we enter into these crazy last weeks of 2019, we wish you and yours a wonderful holiday season.
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?
February 19, 2019
Acute Audit Appendicitis
My son came home from school the other day and told me that his friend’s kidney had "popped." With great concern and further investigation, I found out that his friend had suffered from appendicitis but had since recovered. Luckily, fifth grade boys and most of the human race can get along fine without an appendix. And, as it turns out, there is another type of appendix people can live without: Appendix Eight—Audit Requirements—in the NACHA Operating Rules. NACHA members recently voted to cut this part out.
But wait—don’t celebrate too soon. The change doesn’t eliminate the requirement to conduct an annual ACH rules compliance audit. Rather, members voted to modify "the Rules to provide financial institutions [FI] and third-party service providers with greater flexibility in conducting annual Rules compliance audits." Specifically, the change—which was effective January 1, 2019—affected the following areas of the NACHA Operating Rules:
- Article One, Subsection 1.2.2 (Audits of Rules Compliance): Consolidates the core audit requirements described within Appendix Eight under the general obligation of participating DFIs and third-party service providers/senders to conduct an audit.
- Appendix Eight (Rule Compliance Audit Requirements): Eliminates the current language contained within Appendix Eight; combines relevant provisions with the general audit obligation required under Article One, Subsection 1.2.2.
FIs and ACH payment processors must still conduct, either internally or outsourced, an annual audit of their compliance with the ACH rules each year. They also must retain adequate proof of completion for no less than six years and may, during that term, need to provide proof to NACHA or a regulator. And they will have to adjust their audit methodologies to ensure that they comply with all relevant rules rather than just rely on the former Appendix Eight checklist.
The new audit process necessitates a risk-based approach, which is a strategy regulators have been encouraging in recent years. With so many emerging technologies, products, and services in the payments industry, FIs and ACH payment processors can no longer take a one-size-fits-all approach for compliance. They also no longer have a single access point to ACH—rather, they must consider many access points when auditing for Rules compliance.
These institutions may not have previously had to take into account other areas that touch payments. For example, the risk-based audit doesn’t explore just the deposit operations department; it analyzes how the whole enterprise interacts with ACH systems. Additionally, it may need to include loan operations, online account opening, person-to-person (P2P) products, investment management, and other new digital channels.
Life without Appendix Eight will be an adjustment, but its removal won’t be fatal. I think ACH participants will recover quickly and be even healthier—embracing the new risk-based compliance model will likely strengthen enterprise risk management and promote increased safety and stability in our payment systems.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- data security
- digital currency
- emerging payments
- identity theft
- payments risk
- payments studies/research
- Payment Services Directive
- supervision and regulation
- workforce development