Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 18, 2016
The 411 on Banning the RCC
Are you proficient in recognizing phone scams? One that I've frequently experienced is when the caller tells me I've won a cruise and all I have to do is pay the taxes. To help combat phone fraud, the Federal Trade Commission (FTC) amended the Telemarketing Sales Rule. Part of the amendment prohibits payment types commonly used in deceptive and abusive telemarketing practices. Effective June 13, 2016, telemarketers can't ask for payment by cash-to-cash money transfers, PINs from cash reload cards, or bank account information, which would allow them to create a remotely created check (RCC). Fraudsters prefer RCCs because reversals are more difficult, notes the FTC. In particular, RCCs sail quickly through the clearing and settlement process making for easy collection by fraudsters and clunky adjustment processes for financial institutions.
Financial institutions (FIs) are the gatekeepers to payment systems and, with the amendment to the rule, have a new risk for what their customers do. FIs have always had the compliance risk of understanding their customer's business. As an FI, how would you know if you had a telemarketing customer already on board or one attempting to apply today? Further, how would you know if a current customer is accepting payment via RCC, since RCCs look like traditional checks? If you have third-party processors as customers, these questions become more difficult. Then, the risk is to identify if your customer's customer is a telemarketer processing banned payments through your bank.
Most agreements between FIs and business customers typically include a clause binding their customers to process payments in compliance with applicable laws of the United States. What additional steps should FIs take to manage the risks that apply to different industries and different payment types?
There are limited ways to identify RCCs because such items are cleared like traditional checks. Effective November 2015, the standards for the MICR (magnetic ink character recognition) line were changed to include a "6" in a certain position in the line to indicate an RCC. This is a standard and not a requirement. But if the 6 is used, that is one way to identify an RCC. If the standard is not used, nothing uniquely identifies an item as an RCC unless one examines the signature block on the check, since RCCs have no signature. An FI or a processor may not have the ability to look at every item included in every deposit, but could have random testing in place to attempt to identify the illegal use of RCCs.
Another indicator of deceptive practices by a business customer is anomalies in return rates. A large number of adjustments may signal that abuses are taking place. An RCC is often confused with an ACH entry and some telemarketers may convert their RCCs to ACH to spread out alarming return rates.
It will be all hands on deck to stop abusive RCC practices, but the FTC has charted the course with its new rulemaking.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 7, 2014
Learning from Experience to Handle Suspicious Payment Transactions
In a post earlier this year, we addressed the difficulty of identifying and tracking remotely created checks (RCCs) in the payments stream. Electronic payment orders (EPOs), which are electronic images of "checks" that never exist in paper form, are another payment vehicle difficult to identify and track. EPOs can be created by the payee as an image of an RCC, or created and electronically signed by the payer.
Financial institutions have to address all suspicious payment transactions, whether they occur with traditional payments, like checks and ACH or these new variants, the RCCs and EPOs. Institutions rely on a variety of ways to become aware of suspicious payment transactions:
- The institution's anomaly detection processes highlight transaction patterns that are atypical for a customer.
- A bank customer contacts the bank after identifying an unauthorized transaction on the bank statement.
- Consumer complaints about a business suddenly increase.
- Another institution contacts the bank with concerns about a particular business.
- The bank becomes aware of legal actions taken against a business.
- Returns for a business's payment transactions increase.
Regardless of payment type, institutions can apply the simple approach in this diagram to handling suspicious payment transactions.
When an institution becomes aware of suspicious transactions, its first step is to take care of the customer. This may include returning transactions, placing stop payments, monitoring account activity, addressing security protocols, or changing authentication tools.
The next step would be to reach out to other institutions, law enforcement, and regulators. Other institutions may not be aware of the issue and can assist with resolving the customer’s concern and addressing the underlying cause of the problem. Support for information sharing between financial institutions includes the safe harbor provisions within Section 314(b) of the U.S. Patriot Act. Submitting suspicious activity reports, or SARs, and contacting appropriate law enforcement such as the local police or FBI enables law enforcement to address fraudulent behavior, monitor the extent of the fraud, and address areas of concern that are affecting multiple institutions. Information-sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, are other important avenues.
Critical to the approach is the importance of the affected institution consistently adjusting its identification processes based on its experiences with suspicious transactions. For example, if the anomaly detection system has default settings for origination volume or return rates, and the institution learns that those settings were ineffective in identifying a problem, then the institution should adjust the settings.
As the payments industry continues to evolve, with newer payment types such as RCCs and EPOs, criminals will find new ways to use them to their benefit. And as perpetrators of fraudulent payments adjust their approaches, a financial institution must also be a "learning" institution and adjust its approach to identifying the suspicious payments.
How often does your institution adjust its processes for handling suspicious transactions based on current fraud experiences?
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 6, 2014
When It Comes to RCCs, Can We Make the Invisible Visible?
In May 2013, the Federal Trade Commission (FTC) issued a proposal for public comment to amend the telemarketing sales rule to prohibit telemarketers from using certain payment types, including remotely created checks (RCCs). The proposal addressed attributes of RCCs that make their use susceptible to abuse. RCCs, sometimes referred to as demand drafts, are checks that payees issue rather than the consumer or the consumer’s bank, and are not signed by the consumer. The attributes the proposal addresses include the difficulty of distinguishing RCCs from check images, the absence of reliable data on the volume of RCCs and returns, and the lack of centralized fraud monitoring. Together, these attributes make RCCs relatively invisible.
RCCs usually garner attention only when a law enforcement case uncovers their use in fraud, typically when consumers are victimized by unfair and deceptive practices. Still, RCCs are not just a tool for committing fraud—they are used for legitimate purposes and are frequently authorized by consumers as payments for credit cards, charitable donations, and insurance premiums. At times, banks originate the RCCs themselves or on behalf of the payee, so in these instances, the bank monitors returns, identifies issues, and manages them.
In other payment methods, including ACH transactions and cards, the ability to recognize the payment, track volume and returns, and monitor fraud centrally have proven to be beneficial in addressing fraud. For example, ACH operators have data on forward entries and returns for ACH transactions that enable ACH participants to identify and address issues proactively. Adding these layers of data to enable identification and monitoring of RCCs would prove equally beneficial to the depository and paying banks, as well as regulators and law enforcement to potentially identify and address RCC fraud more directly.
How can the industry improve the identification and tracking of RCCs? One option could be to develop some kind of technology that would distinguish between RCCs and check images with a high degree of accuracy. Another option could be to approve a standard for an identifier in the MICR (short for magnetic ink character recognition) line to indicate that this document is an RCC.
Some industry participants have pursued the MICR line identifier in the past, but these efforts did not gain traction within the industry. However, it may be an idea whose time has come given the concerns that regulators and law enforcement officials are raising about the "invisibility" of RCCs. A MICR line identifier would also allow for centralized fraud monitoring. For instance, depository banks could report periodically to their primary regulator on RCC returns. This reporting would provide information to regulators and law enforcement on possible fraud and support banks in their efforts to mitigate improper RCC usage.
Does your institution see value in making RCCs visible in the processing stream and quantifying their use?
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 7, 2010
Remotely created checks: Banks of first deposit provide front line of defense
Almost everyone has authorized a draft transaction from a checking account, whether to expedite a payment to a creditor, purchase an item via telephone or Internet, or compensate a merchant for the return of an initial paper check due to insufficient funds. The payee remotely creates these preauthorized drafts, or remotely created checks (RCCs), under the authority of the accountholder but without the accountholder's signature. This lack of signature makes RCCs vulnerable to fraud.
How can the payments industry balance the legitimacy and convenience of an RCC with the risk management challenges it presents? Staff at the Atlanta Fed's Retail Payments Risk Forum explored this question and other challenging issues in a recently published concept paper, "An Examination of Remotely Created Checks."
Risk management challenges: RCCs are hard to monitor
RCCs, like traditional checks, can be sent forward for collection through the banking system or processed electronically by converting the paper check into an electronic file acceptable to image-exchange networks. Electronic-only RCCs can also be presented for payment and sent forward for clearing, and in some instances can be converted and processed as an ACH debit item and cleared through the ACH network. RCCs that exist in this format may easily bypass detection because, when they are sent forward for clearing, they appear in a format indistinguishable from files of images captured from paper checks.
Distinguishing electronic-only RCCs from paper RCCs converted to an electronic image is crucial to understanding and appropriately applying the new RCC warranty and presentment claims. Yet reliable data on the prevalence of RCCs as well as the true magnitude of fraud perpetrated through this payment channel is difficult to quantify because, as stated above, RCCs are indistinguishable from files of images from paper checks.
Risk management concerns and applicable due diligence protocols
In 2005, Regulation CC was amended to addressed RCC's unique attributes and the risks and challenges that accompany them. Ultimately, Regulation CC altered the final payment rule by shifting liability for unauthorized RCCs from the paying bank to the bank of first deposit. The change in liability structure also altered presentment and transfer warranties.
Risk management concerns for the bank of first deposit are substantial due to the inherent risk of unauthorized RCC transactions. Often, reported incidents of RCC fraud are tied to poor internal controls and due diligence practices of banks, particularly with their "know your customer" programs.
The Office of the Comptroller of the Currency (OCC) issued updated guidance in 2008 suggesting that account relationships with third-party payment processors are the riskiest for a bank that accepts RCCs as deposits. The guidance was intended to serve as a supplement to existing risk management practices while enhancing underwriting and monitoring of entities that process payments for telemarketers and other merchants.
Depository banks may be best poised to manage the unique risk of RCCs
Some experts firmly believe that RCCs provide consumers the important benefit of avoiding late fees by facilitating the expedited payment of a bill, while others oppose the use of RCCs because their risks outweigh any benefits they may provide. Rather than prohibit their use, exploring improved ways to manage RCCs may preclude the need for new laws or regulations.
Only the bank of first deposit possesses the information necessary to manage RCCs, and only the bank of first deposit has a financial incentive for mitigating RCC fraud. By creating comprehensive risk management practices, beginning with account relationship agreements, the bank of first deposit could detail the quantity of RCCs it will accept, the quality of the images, and the permissible percentage of returns it will accept as RCCs. The institution with the most to lose has the most to gain by policing its own payments activities, while identifying, monitoring, and controlling RCC fraud risk.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud