Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 6, 2020
Could COVID-19 Help Narrow the Digital Divide?
The stay-at-home requirements implemented in March upended our personal and professional lives. Most of us have had to adopt new ways of living, working, and conducting commerce. Although I did not previously have a dedicated home office, the essential tools required to perform my job remotely were in place—in particular, I had reliable broadband internet. An available and reliable internet connection in the home is critical for distance-based schooling, telehealth, and remote work, and the shuttering of schools, retail establishments, and workplaces during the COVID-19 pandemic has highlighted the disparity that remains in broadband internet availability. The Atlanta Fed's community and economic development group investigates this disparity in a recent article, which largely affects rural America. (Another article summarizes some of the group's research.) Could this pandemic be the catalyst that helps us close this digital divide?
The Telecommunications Act of 1996 requires the Federal Communications Commission (FCC) to report annually on whether broadband "is being deployed to all Americans in a reasonable and timely fashion." Since 2017, the FCC has made closing the digital divide a top priority, specifically targeting low-income consumers, rural areas, Tribal lands, and disaster-affected areas. According to the CED, in the states within the Atlanta Fed District, "1.2 million people live in counties where less than half the population is within reach of basic fixed broadband service." The article goes on to state that the economic challenges associated with narrowing the digital divide are similar to those experienced in the 1940s and '50s as the United States pursued rural electrification, and primarily attributed to costly infrastructure.
The FCC's benchmark for high-speed broadband is 25/3 megabits per second— that is, a speed of 25 megabits-per-second download and 3 megabits-per-second upload. Although efforts to close the gap have resulted in some gains, the FCC's 2020 Broadband Deployment Report notes that, as of the end of 2018, the standard was unavailable to approximately 5.6 percent of Americans, particularly those in rural areas and Tribal lands.
The Coronavirus Aid, Relief, and Economic Security (CARES) Act, signed into law in late March, included funding for the construction of infrastructure necessary to expand broadband access to rural areas—infrastructure that will remain after the state of emergency has expired. Some organizations are investing their own money in the effort. Here in Georgia, for example, a recent donation from a major telecommunications provider tripled the number of wifi-enabled school buses in rural communities.
When nonessential businesses closed this spring, I turned to online shopping to purchase basic household items, as did many others with broadband access. This is a trend I expect will continue even when life gets back to "normal." Compared to the same quarter in 2019, the Department of Commerce reported an ecommerce transaction growth rate of almost 15 percent in the first quarter of 2020. Based on my own anecdotal research of how often delivery trucks drive down my street each day, I'm predicting that second-quarter data, scheduled for release on August 18, will likely show increased growth as a result of the pandemic.
My ability to access broadband internet has been critical to my successful stay-at-home work strategy. Will the broadband infrastructure enhancements resulting from recent legislation have an appreciable impact on the digital divide? If so, it will be a positive outcome from an otherwise daunting year.
June 29, 2020
How Do You Love Me? Let Me Count the $$$$
The COVID-19 pandemic has affected everyone's life in some way. Sadly, criminals prey on the chaos created by such situations. We posted back in 2014 about a variety of advance fee scams where victims are duped into sending funds to the criminal, and more recently mentioned these scams in a post about elder financial exploitation. The latest figures from the Federal Trade Commission show that approximately 25,000 consumers reported losses of $201 million in 2019—nearly 40 percent more than in 2018—from romance scams. And this figure is only for reported losses. While the elderly are often a target, victims are adults of all ages and genders. With the social isolation created by the pandemic, romance scams appear to be increasing at a faster pace.
A romance scam often starts with the criminal placing a false profile on an internet dating site. In some cases, the website is completely fraudulent with a large base of false identities, and it collects payment card information for subsequent fraudulent transactions in addition to operating the advance payment scam. After some message exchanges on the dating site, the scammer will encourage the victim to use a private communication channel such as email or text messaging. In the past, the criminal would usually avoid video chats to reveal their true identity. Today, however, these criminal efforts have become increasingly sophisticated. They often have the same person whose photograph they used on the site do these video chats. The criminal will often claim to live or work in a foreign country or at considerable distance from the victim to discourage the victim from visiting. The scammer will often research social media sites to gain more information about the victim's hobbies and interests to help convince the victim that they are "true soulmates."
The criminal tries to deepen the relationship with frequent claims of affection and may even send small-value gifts to the victim to build trust. Once the criminal believes they have the victim "hooked," the financial requests begin. Often it will be a request to send money to pay for medical services for a close relative, or to help the scammer get through some financial hardship. The criminal may also request nonfinancial items, including intimate photographs or videos to be used for extortion later. There may be a request for money or payment card information for the scammer to purchase an airline ticket to come visit the victim, a trip that never happens due to a sudden illness or other excuse.
Education is the key to the prevention or early detection of such a scam. The FTC recommends the following:
- Never send money in any form to someone you haven't actually met. If someone you've met online asks you for money, report it to the Federal Trade Commission (FTC) at ftc.gov/complaint.
- Perform a reverse image search of the person's profile picture to see if it matches with another person's name or if there are other discrepancies. (Some apps provide this service, as does at least one search engine.)
- If you discover that you are, in fact, being scammed, stop communicating with the person immediately, but save the messages.
- If the initial contact was through a dating website, notify the site of the scam.
The Federal Reserve joins with the FBI, FTC, and consumer organizations in helping to educate the public against these criminal activities. Please use any channels you have to spread this educational effort and clean up this slimy activity.
Now go wash up.
June 22, 2020
United Kingdom Extends Consumer Protection
A key element of a faster payments system is the finality of payment. Once the payer sends the payment (called an authorized push payment, or APP), it's pretty much gone for good. This finality provides a number of valuable benefits to both sender and receiver. But what if the sender has been deceived into authorizing a payment or simply makes an error in the payment destination instructions? In a March 2020 post, I discussed the growing concern in the United Kingdom about consumer liability for APPs. That concern resulted in regulatory action offering potential liability relief to consumers deceived into making such payments.
In an APP scam, a payer is tricked into transferring funds to a fraudster through an electronic payment. We have written in previous posts (including this one) about these advance fee scams; they involve people getting a call notifying them that they've won a lottery or owe delinquent tax payments, or they are asked by someone they've met through a dating site or service to send money. In the United States, once consumers have authorized such transactions, they are generally not protected from these losses by existing consumer protection regulations.
However, in the United Kingdom, the incidence rate for these APP scams reached such a level in 2017 that banking authorities took action. The financial services trade association UK Finance began collecting APP scam-fraud data and in January 2018 produced a best practices standards document to improve the identification and reporting of APP scams. The trade association noted that for 2019, losses from APP scams were £456 million (approximately US$581 million), compared to £354.3 million (approximately US$468.7 million) in 2018.
Also in 2018, the Financial Conduct Authority (FCA)—the United Kingdom's financial services regulator—began a series of regulatory changes intended to provide consumers with additional rights in APP disputes. Initially, APP fraud claims were directed to the consumer's financial institution, a payment service provider (PSP). The FCA concluded that the PSP receiving the funds was in a better position to investigate the situation and changed its guidelines to mandate including the receiving PSP in the investigation process.
The biggest shift occurred in May 2019, when the FCA launched a voluntary code regarding APP scams. The code, according to the industry group UK Finance, says that "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Under the code, a PSP is deemed to be at fault if it has not developed prevention (customer education) and detection programs. Although the code is labeled "voluntary," all the major U.K banks have been required to adopt it. There continue to be efforts in the British Parliament to mandate that all financial institutions, regardless of asset size, adopt the code.
In 2019, there were a reported 122,437 cases of APP fraud reported in the United Kingdom. These cases, which totaled £101 million in losses, were reviewed under the provisions of the code. Of that total, £41.3 million, or 41 percent, was reimbursed to the consumer. My reading of the code makes it seem very subjective; it appears that if the victim didn't believe it was a scam at the time they initiated the payment, they should be reimbursed. The FCA documents concede that there isn't a specific checklist to make such a determination but that each case should be decided on an individual basis—a compliance official's worst nightmare.
In an effort to preempt an unauthorized APP from taking place, the United Kingdom's retail payment operator (Pay.UK) introduced its Confirmation of Payee service in 2019. This service checks whether or not the payee name attached to the APP is the same name on the account receiving the payment. Originally mandated to be operational by July 2019, the deadline for adoption by the six major banks was extended to March 31, 2020. Then, because of the COVID-19 pandemic impact, the deadline was again extended, this time to June 30, 2020, although some of the big banks have already implemented the service.
As APPs gain popularity in the United States with faster payments and P2P services, what is the likelihood that similar protections will be extended to consumers here? Let us know what you think.
June 15, 2020
A Cloudy Day Is No Match for a Sunny Disposition
Heading into 2020, investments in companies providing cloud computing services were on fire. Various research firms (here and here) estimate that worldwide spending on public cloud services is growing at a compound annual growth rate that falls between 15 percent and more than 22 percent. As cloud computing matures, many financial institutions are considering the benefits that it can provide. In an October 2019 report on a worldwide survey of bankers, a vendor reported that just over half of all bankers surveyed indicated that they currently have or plan to have a cloud adoption strategy in place within the next two years. Keep in mind that this survey was administered before COVID-19 changed, at least temporarily, the business environment.
Because so much work, banking, and commerce occurs remotely, demand for cloud computing has risen. Although cloud computing can offer advantages, financial institutions need to assess and monitor the risks just as they do with other third-party providers. This may be why the Federal Financial Institutions Examination Council (FFIEC) thought the timing was right to release a statement in late April on Security in a Cloud Computing Environment .
A key takeaway from the FFIEC statement is that even though cloud providers have controls in place, or offer controls, to create a secure environment, the "buck" ultimately stops with the financial institution. It remains the financial institution's responsibility to ensure that proper security protocols are in place based on the service level agreement with its cloud providers. As with other third-party relationships, financial institutions are responsible for ongoing oversight and monitoring of their cloud providers. It may be necessary for a financial institution to implement security protocols above and beyond what cloud providers offer.
Cloud computing can make our lives easier, as evidenced by those who have been able to work remotely during the past few months. But we must also recognize the risks it poses and mitigate those as much as possible. Although the FFIEC statement doesn't contain any new regulatory expectations, it does provide excellent guidance along with a multitude of resources and references for financial institutions seeking information on cloud computing risk management. By employing effective risk management practices, financial institutions can minimize the risks of the cloud becoming a storm cloud and keep the sun shining brightly on a secure environment!
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud