Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
March 2, 2015
Security at the ATM: We Have Some Educating to Do
ATM Marketplace recently published its 2015 triennial research report, which includes results of a poll of U.S. consumers on various issues related to ATMs. The online poll was conducted with a panel of 550+ individuals creating a representative sample of the adult (aged 18–65 years) population. Certain findings from the report stand out, in particular those related to consumers' expectations of various aspects of ATM transaction risk.
One question probed how concerned the respondent was about a skimming or camera device capturing their card information and PIN when they use the ATM. Thirty-eight percent indicated they were very concerned, but the remaining 61 percent indicated they were not that concerned or weren't even aware of what a skimming device is. The pie chart below breaks down each response.
Does the lack of concern come from a lack of education, or is it because the respondent knows the financial institution will have to bear the financial liability?
One of the final questions in the poll was whether the respondent felt an EMV card would make an ATM transaction more secure. As the chart below shows, more than half of the respondents believed there would be at least some level of improved security.
Of great concern to me is the 15 percent who indicated they don't know what an EMV card is. Of the two groups who mostly reported this lack of knowledge, one was the youngest (18–24) group, which surprised me. These younger people are supposed to be more tech-savvy than the rest of us. But of even greater surprise was that almost one-third (31 percent) of the most affluent group (those with a household income more than $150,000) responded they don't know what an EMV card is.
Clearly, the financial industry has a lot of educating to do as credit and debit card issuers ramp up their EMV card issuance in advance of the point-of-sale liability shift on October 1, 2015. While the ATM liability shift for domestic MasterCards won't be until October 2016 and Visa cards, a year later, it's never too early to begin or continue educational initiatives.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 8, 2014
Under Pressure: The Fate of the Independent ATM Operators
The ATM industry in the United States is facing many challenges. For one, the interchange rates that networks pay to ATM owners have been halved over the last five years, transaction surcharges are topping off, and operating expenses are escalating. These financial strains may be hardest for the thousands of small business entrepreneurs in the United States who own and operate ATMs independent of those that belong to financial institutions (FIs). (Non-FI owners/operators are responsible for an estimated 65 percent of all U.S. ATMs.) For another, at least for the small-business independents, a changing landscape is placing pressure on the relationships the independent owners/operators have with their FIs.
I recently attended and spoke at the National ATM Council's (NAC) annual conference. NAC is a nonprofit national trade association that represents the business interests of these non-FI ATM owners and operators. During the conference, I spoke with many of the attendees to learn more about the key drivers and concerns of their business. The biggest concern many owners/operators expressed is their sponsoring FI will classify them as a high-risk business and terminate their banking relationship. (Many FIs are in the process of "de-risking" their portfolios.) FIs may mistakenly classify these operators as money service businesses (MSB), since they dispense cash, even though state regulators do not consider them as such. Two factors are contributing to this confusion: guidance from the FFIEC's examiner manual that cautions financial institutions that criminals can use ATMs to launder funds, and an organizational structure that has sub-ISOs (that is, independent sales organizations), which can make ownership of all the ATMs unclear.
In actuality, the ability of ATM operators to launder money through an ATM is quite restricted beyond the initial funds placed in the terminal. The processors and networks, which are totally independent from the owners, generate financial reports that show the amount of funds that an ATM dispenses in any given period. So if the reports show an ATM paid out $5,000 in a month, the ATM owner can only justify resupplying the ATM with $5,000, plus a little reserve. In other words, controls maintained by independent parties clearly document the funds flowing through the ATM. Additionally, the non-FI sponsorships are dominated by four highly regarded financial institutions with strict AML/BSA programs that validate the initial funding of the ATM and monitor ongoing activity.
My advice to the group to try to avoid having their business relationship questioned or, worse, terminated, was to work proactively with the financial institution providing their settlement service and cash supply needs. Make sure their account officers understand how their businesses operate and know the controls that are in place to make money laundering unlikely to happen. And if you work for an FI that works with non-FI ATM owners/operators, don’t be surprised if they come calling on you.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 21, 2014
How Much Will Chip-Card Technology Affect ATM Owners?
Last week, my colleague Doug King wrote a post about the impact of the migration to chip-card technology on financial institutions that issue cards, with a focus on the smaller issuers. What happens with ATMs is an aspect of the chip-card migration that hasn't received much media attention. This may be because the liability shift timetable for ATMs—for MasterCard, it's October 2016; for Visa, October 2017—comes after the merchants' October 2015 deadline.
Of the roughly 430,000 ATMs in the country, nonfinancial institutions own just over half. The size of these independent ATM deployers (called IADs) range from two large companies with installed ATM bases of 60,000+ machines to thousands of small independent owners with a handful of ATMs. The conversion to support chip cards can cost these businesses up to $500–800 per machine. This impending ATM upgrade has echoes of the Triple DES (or Triple Data Encryption Standard) upgrade that Visa and MasterCard mandated in 2003, with a 2007 deadline. That upgrade involved strengthening ATM transaction security to better protect cardholder's personal identification numbers. Like today's chip-card upgrade, some of the older ATMs did not have the computing power necessary to support the upgrade, which meant the owners had the additional expense of replacing or decommissioning these machines. The independent-ATM installed base declined by more than 12 percent from 2007 to 2009 because many of the owners could not afford the Triple DES upgrade.
The costs of the current upgrade come at a time when the operators are seeing a constriction of their revenues. ATM usage has not kept up with the increased number of machines, which has resulted in lower average volumes per ATM and lower transaction revenues. The increased use of debit cards at retailers along with the cash-back option that many retailers offer are primary reasons for the lower usage.
The ATM owner has two main sources of revenue: interchange fees and surcharge fees. The card issuer pays the interchange fee; the cardholder pays the surcharge, which the ATM owner adds to the transaction amount. (The cardholder may also incur a "foreign transaction" fee from their financial institution for using an ATM outside their financial institution's network, but the ATM owner receives no portion of that fee.)
For 10 years, net interchange revenue to the IADs been steadily decreased. An industry survey showed that average interchange revenue per cash withdrawal dropped from $0.555 in 2006 to $0.3625 in 2012. ATM owners have some ability to raise their surcharge amount, but they have to remain competitive. (The average ATM surcharge amount for ATMs is about $2.50, according to Bankrate.com’s 2012 Checking Survey.) To offset these profitability constrictions, ATM owners are continuing to look for additional revenue sources, such as video advertising or branding their ATM with the name of a financial institution.
As the chip-card deadline for ATMs gets closer, Portals and Rails will continue to monitor and report on its impact.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed.
July 7, 2014
Fighting the High-Tech Criminals
The days of small gangs or the lone criminal committing "grab-and-go" robberies or counterfeiting checks and currency are certainly not over. However, crime stories involving millions of dollars and criminal networks that span the globe tend to grab the headlines these days. Just about everyone has heard about the recent data breaches at major retailers and ATM cash-outs that have netted criminals millions of dollars. A presentation at a recent payments security conference addressed the role of high-tech criminal groups in such crimes and the major threat they present to the security and reputation of our payment system. The speaker described how law enforcement agencies are working vigilantly to shut down these large global criminal enterprises and their cybercriminal activities.
The speaker detailed the composition of a criminal network, which closely resembles the organizational structure of a multinational corporation with numerous subsidiaries. This image shows the major components of the criminal enterprise.
- Executives—These people serve as the originating group and ultimate beneficiaries of the spoils of their successful attacks. They identify the types of criminal cyberactivity to pursue, including identifying the target companies or computer systems.
- Financiers—If the executives don't have the financial resources to carry out their scheme, they often link to a funding source. The financiers may receive a share of the executives' profits as compensation, or they may simply treat the transaction as a loan, charging interest until the loan proceeds are repaid.
- Exploiters—The hackers and software personnel identify vulnerabilities in software or systems and write malware code to compromise a target's account credentials. They normally receive compensation based on the type of attack and the level of sophistication.
- Botnet operators—A botnet is a network of compromised computers. The botnet operators, sometimes called "bot herders," control these systems. They run automated programs in the background, so they are often undetected by the legitimate computer owners, to send massive amounts of spam, conduct spear phishing attacks, or in some other way launch attacks against their targets. Botnet operators receive payment based on the number of compromised computers they use and the time required for the attack.
- Money mules—These players are in the most vulnerable group; they are the people on the street, retrieving the stolen funds and sending them, minus their cut, to the executives. Some law enforcement authorities have said that mules' share of the ill-gotten proceeds can be as high as 60 percent, depending on an operation's level of risk.
While these players are closely linked, they are generally separate criminal groups that have developed niche roles. The separation provides some safety to the executive group in that if members of one of the linked groups are arrested, executives can find another group to take their place so they can continue their illegal activities.
The major global criminal networks have proven to be formidable because of their resilience, but they are not invulnerable. Law enforcement agencies in the United States and other countries are working together to attack these networks through a variety of strategies. Unfortunately, in many cases, the core criminal leaders are physically located in safe havens, so called because local policies may prevent extradition or because governmental officials may be complicit or corrupt so they ignore the criminal activity as long as the targets of the crime are outside their borders.
Portals and Rails salutes the law enforcement personnel for their tireless efforts in this constant battle.