Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
June 22, 2020
United Kingdom Extends Consumer Protection
A key element of a faster payments system is the finality of payment. Once the payer sends the payment (called an authorized push payment, or APP), it's pretty much gone for good. This finality provides a number of valuable benefits to both sender and receiver. But what if the sender has been deceived into authorizing a payment or simply makes an error in the payment destination instructions? In a March 2020 post, I discussed the growing concern in the United Kingdom about consumer liability for APPs. That concern resulted in regulatory action offering potential liability relief to consumers deceived into making such payments.
In an APP scam, a payer is tricked into transferring funds to a fraudster through an electronic payment. We have written in previous posts (including this one) about these advance fee scams; they involve people getting a call notifying them that they've won a lottery or owe delinquent tax payments, or they are asked by someone they've met through a dating site or service to send money. In the United States, once consumers have authorized such transactions, they are generally not protected from these losses by existing consumer protection regulations.
However, in the United Kingdom, the incidence rate for these APP scams reached such a level in 2017 that banking authorities took action. The financial services trade association UK Finance began collecting APP scam-fraud data and in January 2018 produced a best practices standards document to improve the identification and reporting of APP scams. The trade association noted that for 2019, losses from APP scams were £456 million (approximately US$581 million), compared to £354.3 million (approximately US$468.7 million) in 2018.
Also in 2018, the Financial Conduct Authority (FCA)—the United Kingdom's financial services regulator—began a series of regulatory changes intended to provide consumers with additional rights in APP disputes. Initially, APP fraud claims were directed to the consumer's financial institution, a payment service provider (PSP). The FCA concluded that the PSP receiving the funds was in a better position to investigate the situation and changed its guidelines to mandate including the receiving PSP in the investigation process.
The biggest shift occurred in May 2019, when the FCA launched a voluntary code regarding APP scams. The code, according to the industry group UK Finance, says that "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Under the code, a PSP is deemed to be at fault if it has not developed prevention (customer education) and detection programs. Although the code is labeled "voluntary," all the major U.K banks have been required to adopt it. There continue to be efforts in the British Parliament to mandate that all financial institutions, regardless of asset size, adopt the code.
In 2019, there were a reported 122,437 cases of APP fraud reported in the United Kingdom. These cases, which totaled £101 million in losses, were reviewed under the provisions of the code. Of that total, £41.3 million, or 41 percent, was reimbursed to the consumer. My reading of the code makes it seem very subjective; it appears that if the victim didn't believe it was a scam at the time they initiated the payment, they should be reimbursed. The FCA documents concede that there isn't a specific checklist to make such a determination but that each case should be decided on an individual basis—a compliance official's worst nightmare.
In an effort to preempt an unauthorized APP from taking place, the United Kingdom's retail payment operator (Pay.UK) introduced its Confirmation of Payee service in 2019. This service checks whether or not the payee name attached to the APP is the same name on the account receiving the payment. Originally mandated to be operational by July 2019, the deadline for adoption by the six major banks was extended to March 31, 2020. Then, because of the COVID-19 pandemic impact, the deadline was again extended, this time to June 30, 2020, although some of the big banks have already implemented the service.
As APPs gain popularity in the United States with faster payments and P2P services, what is the likelihood that similar protections will be extended to consumers here? Let us know what you think.
March 16, 2020
Are Emerging Payments More Vulnerable to Fraud?
Whenever I am in a conversation about new or emerging payment products or services, I invariably get asked whether I think they will attract heightened attention from criminals. My personal opinion is, "YES, at least initially!" Why do I have that opinion? The conventional wisdom is that criminals recognize that new payment systems are likely to have some security gaps in the beginning that can be exploited. There are a number of examples I can cite to support this position.
Consider the payment card enrollment process that accompanied the introduction of the Apple Pay wallet in late 2014. Whether it was a rush to get cardholders enrolled or because of loopholes in the Identification and Verification (ID&V) process, a number of the banks offering the service fell victim to fraud early on. Criminals enrolled a number of stolen credit and debit cards in the service and then were able to make high-dollar purchases because of weak verification controls. Some industry observers cited initial fraud losses in the 600-to-800-basis-point range at some of the early issuers. This rate compares to an overall in-person, payment card fraud rate of 12.2 basis points in 2015 cited in the Federal Reserve's Payments Study supplement Changes in U.S. Payments Fraud from 2012 to 2016. Fortunately, the affected banks reacted quickly and shored up their payment card enrollment processes.
Also consider the implementation of faster payments in the United Kingdom in 2008. As did other countries implementing faster payments, the United Kingdom tried to limit fraud by taking a measured approach. In the beginning, only credit push transactions with a maximum value of £10,000 (approximately $15,000) were eligible. (Most of the initial participating banks had lower limits.) In 2010, the maximum amount was raised to £100,000. Now the maximum limit is £250,000, although financial institutions may still set lower limits and differentiate between consumer and commercial account payments. My colleague Julius Weyman highlighted some of the fraud risks in faster payments in his 2016 working paper reviewing overall risks in faster payments schemes around the globe. He pointed to the 132 percent increase in online banking fraud the United Kingdom experienced in the year following implementation.
There is growing concern among consumers in the United States and the United Kingdom about the liability for authorized push payments—such as P2P payments—because of their near-real-time nature and their finality. In a future post, I'll examine this issue with authorized push payments and look at how the United Kingdom is dealing with it.
So circling back to my initial question, do you believe that the fraud rates for new and emerging payment products are likely to be higher than the more established payment products? Let us know what you think.
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?
October 23, 2017
ACH and Consumer-Only Payments: Will the Twain Ever Meet?
For many years, person-to-person (P2P) payment providers have touted the emergence of compelling P2P mobile-based products that exploit some combination of financial institutions (FIs) and fintech providers. Several players have made notable inroads into P2P with certain demographics and use cases, but the overall results in terms of absolute numbers are far from ubiquitous. This post uses hard numbers to explore what progress ACH has made with P2P payments.
During a payments conference earlier this year that showcased findings from the Fed's triennial payments study (here and here), the table below was presented showing the number and value shares of domestic network ACH payments in 2015. The table is complicated because it shows both debit pull and credit push payments by consumer and business counterparties. Despite the complexity, the table distills ACH to its essence by removing details associated with the 14 transaction payment types (known as Standard Entry Class codes) that carry value for domestic payments. Many of these individual codes reflect similar types of payments (for example, three codes are used for converting first presentment checks to ACH). As expected, virtually all payments involve at least one business party to each payment. Consumer-only payments are negligible.
In a typical use case for consumer-only ACH, a consumer transfers funds from one account to another account across financial institutions. As shown in the solid red oval, 0.04 percent of all domestic payments were consumer-to-consumer payments, where the payee initiated a debit to the payer's bank account. For consumer credit push payments, the figure is 0.3 percent. The combined figure rounds to 0.3 percent. On the value side for consumer-only payments (in the dashed red oval), debit pulls, credit pushes, and the combined figure were 0.02 percent, 0.2 percent, and 0.2 percent, respectively. These types of payments typically reflect P2P payments1, when one consumer pushes funds to another consumer.
The next table shows the figures that prevailed in 2012. Given the modest share by both number and value across both years, it is apparent—and interesting—that ACH has made little progress in garnering consumer-only payments. Although ACH is ubiquitous on the receipt side across all financial institutions, it is not so for consumers, given the lack of widely promoted and compelling service offerings from FIs and no standardized form factor like there is for card payments. Additionally, many small FIs do not offer ACH origination services.
This lack of adoption is not unique to ACH. Although some of the electronic P2P entrants are experiencing significant growth, it will be some time before they supplant the billions of P2P cash and check payments. P2P players on the FI-centric side include Zelle, which a large consortium of banks owns. Non-FI providers include PayPal and its associated Venmo service. Given the lack of ubiquity with the new offerings, the fallback option for consumer-only payments is cash and checks. As the payments study reports, check use is still declining, though the most recent trend shows that this decline has slowed. ACH or other electronic options still seem a good bet to continue to erode paper options, but perhaps the market is signaling that paper options have ongoing utility and are still preferred if not optimal for some users in some instances.
So what would it take for ACH to gain some traction in the consumer payments space? Perhaps the presence of same-day ACH, in which credits were mandated in September of 2016 and debits followed in September 2017, offers some opportunity for compelling service offerings coupled with a user-friendly way to send an emergency payment to your ne'er-do-well son.
What are your views on the viability of ACH garnering more P2P payments?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
1 Sometimes account-to-account (A2A) transfers are lumped in with P2P payments.
Take On Payments Search
- account takeovers
- data security
- digital currency
- emerging payments
- identity theft
- payments risk
- payments studies/research
- Payment Services Directive
- supervision and regulation
- workforce development