Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 1, 2019
Contactless Cards: The Future King of Payments?
Just over two years ago, my colleague Doug King penned a post lamenting the lack of dual interface, or "contactless," chip payment cards in the United States. In addition to having the familiar embedded chip, a dual interface card contains a hidden antenna that allows the holder to tap the card on or wave it near the POS terminal. This is the same technology—near field communications (NFC)—that various pay wallets inside mobile devices use.
Doug is now doing his daily fitness runs with a bigger smile on his face as the indicators appear more and more promising that 2019 will be the year of the contactless card. Large issuers have been announcing plans to distribute dual interface cards either in mass reissues or as a cardholder's current card expires. Earlier this year, some of the global brand networks launched advertising campaigns to make customers aware of the convenience that contactless cards offer.
So why have U.S. issuers not moved on this idea before now? I think there have been several reasons. First, for the last several years, financial institutions have focused a lot of their resources on chip card migration. Contactless cards will create an additional expense for issuers and many of them wanted to let the market mature as it has done in a number of other countries. They were also concerned about the failure of contactless card programs that some of the large FIs introduced in the early 2000s—most merchants lacked terminals capable of handling the technology.
The EMV chip migration solved much of the merchant terminal acceptance problem as the vast majority of POS terminals upgraded to support EMV chips can also support contactless cards. (While a terminal may have the ability to support the technology, the merchant has to enable that support.) Visa claims that as of mid-2018, half of POS transactions in the United States were occurring at terminals that were contactless-enabled. Another factor favoring contactless transactions is the plan by major U.S. mass transit agencies to begin accepting contactless payment cards. According to the American Public Transportation Association's 2017 Ridership Report, there were 41 transit agencies in the United States with annual passenger trip volumes of over 20 million trips.
Given that consumer payments is largely a total sum environment, these developments have led me to ask myself and others what effect contactless cards will have on consumers' use of other payment forms—in particular, mobile payments. As my colleagues and I have written numerous times in this blog, mobile payments continue to struggle to obtain consumer adoption, despite earlier predictions that they would catch on quickly. There are some who believe that the convenience of ubiquity and fast transaction speed will favor the dual purpose card. Others think that the increased merchant acceptance of contactless will help push the mobile phone into becoming the primary payment form.
My personal perspective is that contactless cards will hinder the growth of in-person mobile payments. There are those who claim to leave their wallet at home and never their phone, and they will continue to be strong users of mobile payments. But the reality is that mobile payments are not accepted at all merchant locations, whereas payment cards are practically ubiquitous. While I am a frequent user of mobile payments, simply waving or tapping a card appeals to me. It's much more convenient than having to open the pay application on my phone, sign on, and then authorize the transaction.
Do you believe the adoption of contactless cards by consumers and merchants will be as successful as it was for EMV chip cards? And do you think that contactless cards will help or hinder the growth of mobile payments? Let us hear from you.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 25, 2019
Safeguarding Privacy and Ethics in AI
In a recent post I referred to the privacy and ethical guidelines that the nonprofit advocacy group EPIC (Electronic Privacy Information Center) is promoting. According to this group, these guidelines are based on existing regulatory and legal guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. Given the continued attention to advancements in machine learning and other computing technology advancements falling under the marketing term of “artificial intelligence” (AI), I thought it would be beneficial for our readers if we were to review these guidelines so the reader can assess their validity and completeness. The heading and the italicized text in these guidelines are EPIC’s specific wording; additional text is my commentary. It is important to point out that neither the Federal Reserve System nor the Board of Governors has endorsed these guidelines.
- Right to Transparency. All individuals have the right to know the basis of an AI decision that concerns them. This includes access to the factors, the logic, and techniques that produced the outcome. EPIC says the main elements of this principle can be found in the U.S. Privacy Act and a number of directives from the European Union. It is unlikely that the average person would be able to fully understand the complex computations generating a decision, but everyone still has the right to an explanation of and validation for the decision.
- Right to Human Determination. All individuals have the right to a final determination made by a person. This ensures that a person, not a machine, is ultimately accountable for a final decision.
- Identification Obligation. The institution responsible for an AI system must be made known to the public. There may be many different parties that contribute to an AI system, so it is important that anyone be able to determine which party has overall responsibility and accountability.
- Fairness Obligation. Institutions must ensure that AI systems do not reflect unfair bias or make impermissible discriminatory decisions. I understand the intent of this principle—any program developed by a person will have some level of inherent bias—but how is it determined that the level of bias has reached an “unfair” level, and who makes such a determination?
- Assessment and Accountability Obligation. An AI system should be deployed only after an adequate evaluation of its purpose and objectives, its benefits, as well as its risks. Institutions must be responsible for decisions made by an AI system. An AI system that presents significant risks, especially in the areas of public safety and cybersecurity, should be evaluated carefully before a deployment decision is made.
- Accuracy, Reliability, and Validity Obligations. Institutions must ensure the accuracy, reliability, and validity of decisions. This basic principle will be monitored by the institution as well as independent organizations.
- Data Quality Obligation. Institutions must establish data provenance, and assure quality and relevance for the data input into algorithms. As an extension of number 6, detailed documentation and secure retention of the data input help other parties replicate the decision-making process to validate the final decision.
- Public Safety Obligation. Institutions must assess the public safety risks that arise from the deployment of AI systems that direct or control physical devices, and implement safety controls. As more Internet-of-Things applications are deployed, this principle will increase in importance.
- Cybersecurity Obligation. Institutions must secure AI systems against cybersecurity threats. AI systems, especially those that could have a significant impact on public safety, are potential targets for criminals and terrorist groups and must be made secure.
- Prohibition on Secret Profiling. No institution shall establish or maintain a secret profiling system. This principle ensures that the institution will not establish or maintain a separate, clandestine profiling system to assure the possibility of independent accountability.
- Prohibition on Unitary Scoring. No national government shall establish or maintain a general-purpose score on its citizens or residents. The concern this principle addresses is that such a score could be used to establish predetermined outcomes across a number of activities. For example, in the private sector, a credit rating score can be a factor not only in credit decisions but also in other types of decisions, such as for vehicle, life, and medical insurance underwriting.
- Termination Obligation. An institution that has established an AI system has an affirmative obligation to terminate the system if human control of the system is no longer possible. I refer to this final principal as the “HAL principle” from 2001: A Space Odyssey, where the crew tries to shut down HAL (a Heuristically programmed ALgorithmic computer) after it starts making faulty decisions. A crew member finally succeeds in shutting HAL down only after it has killed all the other crew members. HAL is an extreme example, but the principle ensures that an AI system’s actions do not override or contradict the actions and decision of the people responsible for the system.
On February 11, 2019, the president signed an executive order promoting the United States as a leader in the use of AI. In addition to addressing technical standards and workforce training, the order called for the protection of “civil liberties, privacy, and American values” in the application of AI systems. As the development of AI systems increases pace, it seems important that an ethical framework be put in place. Do you think these are reasonable and realistic guidelines that should be adopted? Do you think some of them will hinder the pace of AI application development? Are any principles missing?
Let us know what you think.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 18, 2019
The Patriots of the Payments Landscape
Last February, the New England Patriots and their future first-ballot Hall of Fame quarterback, Tom Brady, won their sixth Super Bowl title since 2002. Over this 17-year period, they have played for the National Football League title nine times. In college football, a similar scenario has emerged, with two teams (the University of Alabama and Clemson University) winning seven out of the last 10 collegiate football national titles. It is proving to be very difficult to upend the dominant players in this sport, and many football fans and pundits believe that such domination makes the overall sport less interesting (especially if your favorite team isn’t Alabama, Clemson, or the Patriots). They think it’s bad for the sport and argue it would be better to see more variety in championship teams. As I think about that perspective, my mind drifts to a payments conversation that I am often a part of in both business and social settings: Where are payments going to be in the next three to five years?
While it would be much "more entertaining" in my social settings to be able to discuss some great shift in payments on the horizon, the fact is that right now payments is in a place similar to football’s. Card-based payments are sitting on top of the non-cash-based payments world and will be difficult to dethrone anytime soon. According to the Federal Reserve Payments Study 2016 (the last report that provided annual estimates for both automated clearinghouse (ACH) and check payments), card payments, by number of transactions, made up 72 percent of noncash payments. Now the latest figures from the payments study’s 2018 Annual Supplement report reveal that there were 123.5 billion card transactions in 2017, a figure representing robust growth of 10.1 percent from 2016. The report also highlights that, during this 2016–17 period, the number of network ACH payment transactions grew at an accelerated pace of 5.7 percent while large-institution check payments declined in number of transactions at an accelerated pace of 4.8 percent. The Federal Reserve is currently conducting its triennial payments study, which will provide updated national estimates on all noncash payments for 2018.
In the future, we might be dipping cards more often, tapping contactless cards, or even tapping our phones more, but it’s hard to envision a new payment channel making much headway in the next three to five years. Cards just have too big of a share and are experiencing accelerating growth. Consumers are not only accustomed to using them, but they also find that cards work very efficiently for them. And just like the football fans and pundits who talk or write about the need for different champions in the football world, payments professionals and pundits are enamored with writing about and discussing how blockchain, distributed ledger technology, faster payments, or some other brave, new technology are going to be the next frontier in payments. And you know, they might be right one day, but it’s not going to happen anytime soon, certainly not before Mr. Brady finds his way into the Hall of Fame.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 11, 2019
Payments Webinar Explores a Fintech Talent Gap
Developments in financial technology (fintech), as welcome as they may be, are pressuring one of our most valuable resources: our workforce. Not only are there not enough candidates experienced in new fintech, but also there is a growing gap between the skills employers want and the skills that employed professionals have.
As fast as fintech is moving, it is important not to be hasty when making talent development decisions. Now is the time to be strategic and intentional in evaluating the ways to bridge the fintech talent gap. Most new banking technologies, especially those that are payments related (whether they’re offered by a traditional financial institution or a non-bank entity), require a new approach to software and cybersecurity. With this in mind, a fundamental feature of workforce development is aligning education and training programs with real business needs.
In the next episode of our Talk About Payments (TAP) webinar series, our panel will explore the underlying emerging technologies that are essential core knowledge for the payments and fintech workforce. We will also explore initiatives that are under way to bridge the fintech talent gap. Our panel will include:
- Jessica J. Washington, AAP, Payments Risk Expert, Federal Reserve Bank of Atlanta
- James Senn, Founding Director, Georgia Fintech Academy
- Allen Sautter, Information Security Officer, Federal Reserve Bank of Atlanta
We encourage financial institutions, merchants, fintechs, payments processors, law enforcement, academia, and other payments system stakeholders to participate. Participants will be able to submit questions during the webinar.
The webinar will take place on March 21, from 1 to 2 p.m. (ET). To participate in the webinar, you must register in advance (there is no charge). You can register here. Once you have registered, we will send you a confirmation email with the login and toll-free call-in information. You can direct questions concerning the webinar to David Lott at firstname.lastname@example.org. We hope you will join us and be part of the discussion.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud