Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

June 22, 2020

United Kingdom Extends Consumer Protection

A key element of a faster payments system is the finality of payment. Once the payer sends the payment (called an authorized push payment, or APP), it's pretty much gone for good. This finality provides a number of valuable benefits to both sender and receiver. But what if the sender has been deceived into authorizing a payment or simply makes an error in the payment destination instructions? In a March 2020 post, I discussed the growing concern in the United Kingdom about consumer liability for APPs. That concern resulted in regulatory action offering potential liability relief to consumers deceived into making such payments.

In an APP scam, a payer is tricked into transferring funds to a fraudster through an electronic payment. We have written in previous posts (including this one) about these advance fee scams; they involve people getting a call notifying them that they've won a lottery or owe delinquent tax payments, or they are asked by someone they've met through a dating site or service to send money. In the United States, once consumers have authorized such transactions, they are generally not protected from these losses by existing consumer protection regulations.

However, in the United Kingdom, the incidence rate for these APP scams reached such a level in 2017 that banking authorities took action. The financial services trade association UK FinanceOff-site link began collecting APP scam-fraud data and in January 2018 produced a best practices standards document to improve the identification and reporting of APP scams. The trade association noted that for 2019, losses from APP scams were £456 million (approximately US$581 million), compared to £354.3 million (approximately US$468.7 million) in 2018.

Also in 2018, the Financial Conduct Authority (FCA)—the United Kingdom's financial services regulator—began a series of regulatory changes intended to provide consumers with additional rights in APP disputes. Initially, APP fraud claims were directed to the consumer's financial institution, a payment service provider (PSP). The FCA concluded that the PSP receiving the funds was in a better position to investigate the situation and changed its guidelines to mandate including the receiving PSP in the investigation process.

The biggest shift occurred in May 2019, when the FCA launched a voluntary codeOff-site link regarding APP scams. The code, according to the industry group UK FinanceOff-site link, says that "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Under the code, a PSP is deemed to be at fault if it has not developed prevention (customer education) and detection programs. Although the code is labeled "voluntary," all the major U.K banks have been required to adopt it. There continue to be efforts in the British Parliament to mandate that all financial institutions, regardless of asset size, adopt the code.

In 2019, there were a reported 122,437 cases of APP fraud reported in the United Kingdom. These cases, which totaled £101 million in losses, were reviewed under the provisions of the code. Of that total, £41.3 million, or 41 percent, was reimbursed to the consumer. My reading of the code makes it seem very subjective; it appears that if the victim didn't believe it was a scam at the time they initiated the payment, they should be reimbursed. The FCA documents concede that there isn't a specific checklist to make such a determination but that each case should be decided on an individual basis—a compliance official's worst nightmare.

In an effort to preempt an unauthorized APP from taking place, the United Kingdom's retail payment operator (Pay.UK) introduced its Confirmation of PayeeOff-site link service in 2019. This service checks whether or not the payee name attached to the APP is the same name on the account receiving the payment. Originally mandated to be operational by July 2019, the deadline for adoption by the six major banks was extended to March 31, 2020. Then, because of the COVID-19 pandemic impact, the deadline was again extended, this time to June 30, 2020, although some of the big banks have already implemented the service.

As APPs gain popularity in the United States with faster payments and P2P services, what is the likelihood that similar protections will be extended to consumers here? Let us know what you think.

September 28, 2015

I Want My Two Dollars!

Dizziness and nausea come over me sometimes when I have to pay individuals. My mind scrambles. I don't carry cash or have checks. What grueling, lengthy steps will I have to go through to pay this person? Besides worrying about forgetting to meet my financial obligation if I don't pay right now, I find myself crossing my fingers behind my back hoping they have the same mobile app as I do. Or maybe we use the same bank, with any random luck. I picture myself as Layne Frost, the character played by John Cusack, from the movie Better Off Dead, with the paperboy at my doorstep insisting, "I want my two dollars!"

From bartering to exchanging livestock and shells, from cash and coin to checks and now mobile, it is inevitable that people will always find a way to pay and be paid. Forrester Research forecasts that the U.S. mobile peer-to-peer (P2P) market will grow to nearly $17 billion in transaction value by 2019. Yet the United States P2P payment volume by instrument is still largely cash-based, followed by check. Forecasters are planning on migration from over 6 billion cash and 2.1 billion check P2P transactions to the mobile space. Who will win the lion's share of paper-based P2P payments as people embrace electronic payments?

Let's look at the P2P payment lifecycle before you make your predictions:

P2p-payment-lifecycle

My expectation is that everyone in the P2P space today faces challenges in getting there from here. Some will have a handsome share of the market but in doing so may suffocate opportunity for ubiquitous solutions that will benefit consumers nationwide. Fragmentation is our obstacle in P2P today. If both Ps don't have something in common (for example, financial institution, phone manufacturer, mobile application, social media, branded debit card), then the payment can't occur and...back to the basics we go. Cash and checks are accepted by almost everyone. Moreover, cash eliminates the middle part—cash means finality of good funds, sender to recipient, instantly.

All P2P access channels, or funds load, providers who offer accounts to consumers—whether these providers are financial institutions; virtual wallets like Google and Paypal; mobile/online applications like SquareCash, Venmo, or Dwolla; or prepaid accounts like Bluebird or NetSpend—should be able to access a directory to process payments from anyone to anyone. Ubiquity means debit card or not, banked or unbanked, same state or not. This can be achieved when financial institutions cooperate through open access to a directory, since all nonbank P2P providers ultimately use a bank to conduct the business of processing payments.

There is an option that could surpass directory deliberations. Bitcoin's blockchain technology, like cash, can eliminate middle participants—like cash, it is finality of good funds, sender to recipient, instantly. Perhaps the directory will be technology nonpartisan and connect all payments. Until then, I'll keep crossing my fingers when the paperboy shows up.

Photo of Jessica J. Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 13, 2010

Numbers don't back up fears about WEB and TEL

Recently, I got word that many banks, particularly small banks, may be bypassing the opportunity to market certain ACH origination services to their corporate customers because they are concerned about the underlying potential for fraud. In particular, banks may be holding back on offering debit origination services to companies selling services or accepting bill payments over the web or telephone. These are recognized as WEB or TEL entries in the parlance of ACH.

Certainly, conscientious, well-controlled financial institutions should be concerned about ensuring that they are not party to fraudulent transactions through the ACH. However, there is nothing inherently risky about WEB and TEL entries compared to any other types of transactions. In fact, in recent presentations, the NACHA-The Electronic Payments Association has revealed encouraging long-term trends with regard to a key statistic in sensing fraud: the level of unauthorized ACH returns.

WEB and TEL return data are favorable
Data collected from the Federal Reserve and the Clearing House Payments Company—the two ACH operators—and aggregated by NACHA show that the overall return rate for WEB transactions stands at 0.03 percent, or three transactions in every 10,000, as of the second quarter of 2010. Interestingly, this rate is actually slightly lower than the rate for all preauthorized debits—such as insurance premiums, car payments, and health club fees—which stands at 0.04 percent over the same period.

For TEL transactions, the rate is somewhat higher at 0.11 percent, or 11 returns for every 10,000 transactions. This higher rate may stem from the fact that a good percentage of TEL transactions flow from telemarketing activities that are sometimes fraudulent or sometimes characterized by "buyer's remorse." In contrast, Federal Reserve data show that return rates for check collection—a business generally thought to be safe by most banks—average something less than 1.0 percent. The point here is that data shows that ACH WEB and TEL transactions do not appear to be risky by common transaction processing measures.

Knowing the customer is still critical
As with all account relationships held by financial institutions, a small dose of due diligence can go a long way to help ensure that an institution does not engage with a fraudulent firm. This "know your customer" process, if applied regularly, can diminish any significant chance of experiencing ACH fraud for TEL transactions. For that matter, the same due diligence is necessary for remote deposit capture, remotely created check relationships, and credit card services. In addition, both the Federal Reserve and the Clearing House offer originating depository financial institutions ACH risk management and monitoring services that allow a bank to quickly detect any dangerous trends in unauthorized return experience. In fact, the Federal Reserve service allows originating financial institutions to reduce their risk exposure by establishing debit and credit origination limits on any of their corporate originators as part of their overall risk management program.

The only thing we have to fear...
It's possible that some of the concerns that small banks have regarding these transactions stem from recent news reports. Some corporations that have fallen victim to so-called account takeovers have accused their banks of not doing enough to help them detect fraudulent activity in their ACH-originated payroll files. As most professionals know by now, Internet-based criminals use the account takeover scheme to insert malware into a company's system through e-mail, spam, or some other vehicle. Banks are still wrestling with ways to help their clients monitor such files, and ACH operators do not have any specific services in place yet to help the banks do this. However, WEB and TEL transactions involve the origination of debit transactions, not credit transactions, as is generally the case with account takeovers.

Small banks may also not be originating WEB and TEL transactions simply because many smaller companies, utilities, manufacturers, and retailers are not yet offering web-based payment services. In essence, the market for selling such services is limited, but it's clear that over time more and more small companies will be able to offer these payment services and will be asking their banks to support ACH WEB and TEL originations. And really, given the data and controls noted above, "The only thing we have to fear is fear itself," to quote a famous president.

Marie Curie said it a little differently: "Nothing in life is to be feared. It is only to be understood." It is important to be risk-conscious, but it is also important to understand the available data and controls for informing decisions about ACH services that could represent opportunities to service a customer's changing needs better.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

Take On Payments Search


Recent Posts


Categories