Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 6, 2020
Will COVID-19 Exacerbate Ecommerce Fraud?
Ecommerce sales in the United States continue to gain a greater share of overall retail sales each year. The Department of Commerce reports that in 2019, total ecommerce sales increased almost 15 percent over 2018 and represented 11 percent of total retail sales. There is no question that with the current COVID-19 environment, our daily habits have undergone tremendous change. As part of that change, I expect that ecommerce sales will increase at a greater rate in 2020 than in 2019.
Following social isolation guidelines, consumers and businesses are turning more and more to conducting their commerce transactions online. Prepaid carry-out, drive-through, and delivery orders now dominate the dining industry as inside dining options have been largely shuttered. Large retailers have been promoting online ordering and ship-to-home delivery options as their stores are closed. TransUnion reports that in the week from March 11 to 17, when the World Health Organization classified COVID-19 as a global pandemic, ecommerce transaction volume increased 23 percent over the previous week.
This spike in ecommerce traffic will likely bring with it a parallel spike in criminal activity, possibly adding to the increasing fraud levels in ecommerce. This shouldn't come as any surprise. It will be important for the good guys not only to be expecting this but also to be prepared for it by making swift adjustments that match the challenge.
One of the key adjustments to consider and apply quickly is properly tuning algorithms for detecting ecommerce fraud. In normal times, anomalous-pattern detection schemes are relied on to expose fraudsters. Elements such as the type of stores commonly used, frequency of usage, average or range of transaction values, and more go into making up an overall usage pattern for a given customer. While these transaction risk models have become very sophisticated over the years, they are challenged by abrupt changes in usage patterns, especially at an individual account level. They need to be smartly and quickly adjusted. Issuers and merchants need to balance the decision of denying transactions—which brings with it the risk of disgruntled legitimate customers and lost revenues—against approving fraudulent transactions and taking financial losses. No easy task, but doable and necessary to undertake, with constant attention.
Working collaboratively with merchants, consumers can help to surprise the criminals as fraud fighting evolves. The good guys win if we exercise patience with one another and remain mindful of the balance between purchase friction and fraud avoidance as fraud-fighting tools and methods adjust. Both sides being considerate of the needs on both sides of the transaction—working together, again, with patience and willingness to engage, perhaps differently than we've been willing to in the past, could yield results that everyone (except the crooks) is happier with, in both the short run and long run.
We know fraud management teams will be busy managing their fraud-detection tools and processes and expect they will rise to the challenge. We also expect consumers are ready and willing to assist in ways that are helpful as well. The constant chess match with the criminal element will continue, and we look forward to seeing a chess piece on the good guys ' side of the board with some new moves to help aid in the fight against the bad guys.
March 30, 2020
Do We Use a Payments Risk Thermostat?
I read a blog post last week that is eerily evocative of the individual actions we take—or don't take—to protect our personal and payments information. You can read it here: Handwashing Can Stop a Virus—So Why Don't We Do it?
The blogger identifies some reasons we don't wash our hands as much—or as thoroughly—as we should, including lack of awareness and inconvenience.
- We are not aware that hand washing is so effective.
- We balk at the least inconvenience or practical barriers—for example, having to take a few extra steps to get to the soap and water.
Sounds a lot like the reasons people may cut corners on payments security. For example, people may not be aware of the efficacy of credit freezes, or they might find imposing them to be inconvenient. People may not be aware that it is not optimal to use the same password for multiple accounts, or they may consider it to be inconvenient to set up different passwords.
I think this paper positing a "risk thermostat" applies not only to handwashing but also to payments security. We use our risk thermostats to make tradeoffs, so taking one kind of preventive measure could increase our willingness to accept more risk in another way. The author writes: "individual risk taking decisions represent a balancing act in which perceptions of risk are weighed against propensity to take risk."
So, for example, maybe you start wearing gloves and stop washing your hands so carefully. (Don't do that, please.) Or maybe you put a credit freeze on your accounts at the major credit bureaus and stop watching your bank and card statements so carefully. (Don't do that, either.)
As these writers on behavioral science note, awareness is the first step. So be aware of payments and other financial risks facing your business and your customers during the coronavirus outbreak. Here are some resources you can use to educate your colleagues and customers:
- U.S. Secret Service : Watch out for phishing scams posing as medical or health providers, charity scams on social media.
- Federal Trade Commission (FTC): Ignore emails claiming to be from the CDC; ignore online offers for vaccinations.
- U.S. Securities and Exchange Commission Beware internet and social media promotions claiming that products or services "prevent, detect, or cure coronavirus" and that the stock of providing companies will increase in value.
As of March 16, the FTC and the Food and Drug Administration already have issued warning letters to seven sellers of unapproved and misbranded products.
Best wishes and good health to you and your families. Now, go wash your hands. And check your bank account when you're done.
March 23, 2020
Fast Cars and Fast Payments
My son and I recently attended the Daytona 500. As an 11-year-old, he is fascinated with fast cars and speeds that routinely exceed 200 mph. The cars were certainly fast at Daytona International Motor Speedway this year. While he is blown away by the speed of the cars, I remain amazed at the overall safety record of these cars. There were numerous wrecks at this year’s race, but only one driver was seriously injured on the last lap in a wreck that was horrifying to witness. The speed of the cars definitely makes for an exciting event, but at the end of the day, safety is vital. Nobody wants to see a driver injured, and racing organizations have gone to great lengths to make sure safety is the top priority even if it means compromising the speed of cars. Could safety be as important as speed in payments, too?
Having been involved in the payments industry for the past 13 years, faster and safer have always been two (of several) buzz words associated with payments. But faster, being much cooler to discuss, seems to be the focus all too often. (Don’t talk to my son about the safety of cars—he wants to talk speed!) I joke with my colleague about surveys we often come across claiming that an extremely high percentage of people want faster payments. As a standalone question—yes, I can absolutely see that. Faster is better than the status quo or slower, right?
But we rarely get a glimpse into how important faster payments really are and if people actually want them. Are they just giving an obvious answer to a leading question? How would people respond to a question about faster payments when the question includes other attributes such as safety?
In a recent survey, approximately 1,000 respondents from the United States between the ages of 16 and 75 were asked to choose the most critical characteristics of a payment instrument: safety from fraud and theft, privacy protection, ease of use, wide acceptance, and speed. Only 12 percent of them chose speed as one of the top two. Interestingly, respondents chose safety (62 percent) and privacy (37 percent) as the most important characteristics.
Coming home from Daytona, my son and I talked about the race and just how amazing it was to watch in person. I asked him if he would like to see the cars go faster in light of some of the awful crashes that we saw. In his 11-year-old wisdom, he said the cars are probably fast enough because he didn’t like watching that final wreck. While I could debate whether or not payments are fast enough, much like the cars racing in the Daytona 500, safety remains paramount for payment instruments and must remain at the forefront of any discussion on payments.
March 16, 2020
Are Emerging Payments More Vulnerable to Fraud?
Whenever I am in a conversation about new or emerging payment products or services, I invariably get asked whether I think they will attract heightened attention from criminals. My personal opinion is, "YES, at least initially!" Why do I have that opinion? The conventional wisdom is that criminals recognize that new payment systems are likely to have some security gaps in the beginning that can be exploited. There are a number of examples I can cite to support this position.
Consider the payment card enrollment process that accompanied the introduction of the Apple Pay wallet in late 2014. Whether it was a rush to get cardholders enrolled or because of loopholes in the Identification and Verification (ID&V) process, a number of the banks offering the service fell victim to fraud early on. Criminals enrolled a number of stolen credit and debit cards in the service and then were able to make high-dollar purchases because of weak verification controls. Some industry observers cited initial fraud losses in the 600-to-800-basis-point range at some of the early issuers. This rate compares to an overall in-person, payment card fraud rate of 12.2 basis points in 2015 cited in the Federal Reserve's Payments Study supplement Changes in U.S. Payments Fraud from 2012 to 2016. Fortunately, the affected banks reacted quickly and shored up their payment card enrollment processes.
Also consider the implementation of faster payments in the United Kingdom in 2008. As did other countries implementing faster payments, the United Kingdom tried to limit fraud by taking a measured approach. In the beginning, only credit push transactions with a maximum value of £10,000 (approximately $15,000) were eligible. (Most of the initial participating banks had lower limits.) In 2010, the maximum amount was raised to £100,000. Now the maximum limit is £250,000, although financial institutions may still set lower limits and differentiate between consumer and commercial account payments. My colleague Julius Weyman highlighted some of the fraud risks in faster payments in his 2016 working paper reviewing overall risks in faster payments schemes around the globe. He pointed to the 132 percent increase in online banking fraud the United Kingdom experienced in the year following implementation.
There is growing concern among consumers in the United States and the United Kingdom about the liability for authorized push payments—such as P2P payments—because of their near-real-time nature and their finality. In a future post, I'll examine this issue with authorized push payments and look at how the United Kingdom is dealing with it.
So circling back to my initial question, do you believe that the fraud rates for new and emerging payment products are likely to be higher than the more established payment products? Let us know what you think.
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud