Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

August 19, 2019

Why Should You Care about PSD2?

The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.

The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.

Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:

  • Something you know (for example, PIN or password)
  • Something you have (for example, chip card, mobile phone, or hardware token)
  • Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)

PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.

The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:

  • Low-value transactions (under €30, approximately $33)
  • Transactions with businesses that the consumer identifies as trusted
  • Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
  • "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
  • Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
  • Business-to-business (B2B) payments

Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.


July 29, 2019

You Can't Manage What You Can't Measure

Peter Drucker famously applied the adage you can't manage what you can't measure to widgets at General Motors. Researchers, fintech entrepreneurs, elected leaders, and others who are trying to ensure economic mobility for all would do well to remember this advice. To be able to interpret or conclude that real improvements are occurring due to financial innovation, it is important to understand the metrics used for assessing economic mobility.

One important resource for data on financial inclusion is the Group of Twenty (G20) Global Partnership for Financial Inclusion (GPFI). This group has produced a number of excellent documents on financial inclusion. I want to bring special attention to the G20 Financial Inclusion Indicators  and the interactive dashboard.

These indicators grew out of the original Basic Set of Financial Inclusion Indicators, which was created in 2012. Updated this past April, the indicators are meant to measure achievements and disparities in the use of digital financial services along with the technology or environment that is needed to enable use of these services. The dashboard interprets recent data collected for certain indicators. You can download country-level raw data based on variables that you customize. Also on the G20 site is an interactive data visualizer that will let you see how the United States compares to other countries by each indicator.

There are three dimensions to the measurement: (1) access to financial services, (2) use of financial services, and (3) quality of products and service delivery. Here are some indicator categories related specifically to payments:

  • Retail cashless transactions
  • Adults using digital payments
  • Mobile phone or Internet-based payments
  • Payments using a bank card
  • Debit card ownership
  • Proximity to physical points of service (i.e. branches, ATMs, access to internet)
  • Enterprises that send or receive digital payments
  • Received wages or government transfers into an account

The GPFI encourages individual countries to supplement the G20 Indicators with country-specific metrics. Following are several additional sources contributing to measurements of financial inclusion for the United States:

  • U.S. Financial Health Pulse by the Financial Health Network: Measures financial health using the Center for Financial Services Innovation Financial Health Score measurement methodology, consumer surveys, and transactional records.
  • The Opportunity Atlas by the U.S. Census Bureau and Opportunity Insights: Maps the neighborhoods in the United States that offer children the best chance to rise out of poverty.
  • Small City Economic Dynamism Index by the Federal Reserve Bank of Atlanta: Provides a snapshot of the economic trajectory and current conditions of 816 small and midsized cities across the United States. It includes 13 indicators of economic dynamism for metropolitan and micropolitan areas with populations above 12,000 and below 500,000.
  • Payment Volume Charts Treasury-Disbursed Agencies> by Bureau of the Fiscal Service:: Offers downloadable reports that compare monthly and cumulative electronic funds transfer payment volumes for different time periods.
  • Model Safe Accounts by the Federal Deposit Insurance Corporation: Offers an overview and report of a pilot program designed to evaluate the feasibility of financial institutions offering safe, low-cost transactional and savings accounts that are responsive to the needs of underserved consumers.

Keeping data at the forefront of the discussion on financial inclusion will better inform strategies, help organizations and entrepreneurs build better products and services, and help policymakers and many others monitor the effect of initiatives.

Photo of Jessica WashingtonBy Jessica Washington, AAP, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 3, 2019

Hitting the Brakes on the Cashless Society

"Reverse ATMs" is a term I learned from reading my colleague Oz Shy's new working paper, "Cashless Stores and Cash Users." At venues that don't accept cash at the register, the patron puts cash into the reverse ATM and a loaded prepaid card comes out. Mercedes-Benz Stadium in Atlanta, for example, is one of the latest venues to adopt this practice.

Speaking of "reverse," I'm sure you know that some states and municipalities are seeking to reverse what may—or may not—be a trend toward brick-and-mortar retailers not accepting cash. Refusing to accept cash has been illegal in Massachusetts, where I live, since 1978. More recent developments:

  • Philadelphia will ban cashless stores beginning in July.
  • In March, New Jersey outlawed cashless restaurants and stores.
  • In May, the San Francisco Board of Supervisors voted to require brick-and-mortar businesses to accept cash.
  • Also in May, Representative David Cicilline (D-RI) introduced the Cash Buyer Discrimination Act, which would require businesses all across the United States to accept cash.

These and other proposed laws are predicated on the idea that people without access to payment cards or digital payments are harmed when they cannot make purchases using their payment instrument of choice: cash. Oz's paper adds to the conversation by examining the choices consumers make at the point of sale, depending on their access to different ways to pay.

Using data from the 2017 Diary of Consumer Payment Choice, Oz found that consumers who own different mixes of payment instruments use cash with different intensity to make in-person purchases:

  • Diary respondents who own neither a credit card nor a nonprepaid debit card made almost 9 in 10 of their in-person payments with cash, on average. The median share of cash purchases was 100 percent.
  • Diary respondents who own at least one credit card and one nonprepaid debit card make about one-third of their in-person payments with cash, on average. The median share was 20 percent.

Oz goes on to calculate the cost to the cash payers who do not have credit or nonprepaid debit cards of switching from cash to a prepaid card. He finds that, all things being equal, for some consumers, using cash would have to cost twice as much as using a prepaid card for the cash users to be indifferent to switching. Oz's conclusion: "A complete transition to cashless stores imposes a measureable burden on consumers who do not have credit or [nonprepaid] debit cards." For perspective, 8.5 percent of respondents with household income below the U.S. median ($61,000) did not have a credit card or nonprepaid debit card in 2017, according to the diary.

As this research shows, cash is important to some consumers. The cashless society could be on a collision course with reality.

May 20, 2019

Could Federal Privacy Law Happen in 2019?

Some payments people have suggested that this could be the year for mobile payments to take off. My take? Nah. I gave up on that thought several years ago, as I've made clear in some of my previous posts. I'm actually wondering if this will be the year that federal privacy legislation is enacted in the United States. The effects of the European Union's General Data Protection Regulation (GDPR) that took effect a year ago (see this Take on Payments post) are being felt in the United States and across the globe. The GDPR essentially has created a global standard for how companies should protect citizens' personal data and the rights of everyone to understand what data is being collected as well as how to opt out of this collection. While technically the GDPR applies only to EU citizens, even when traveling outside the European Union, most businesses have taken a cautious approach and are treating every transaction—financial or informational—that they process as something that could be covered under the GDPR.

A tangible impact of the GDPR in the United States is that the state of California has passed a data privacy law known as the California Consumer Privacy Act of 2018Off-site link (CCPA) that is partly patterned after the GDPR. The CCPA gives California residents five basic rights related to data privacy:

  • The right to know what personal information a business has collected about them, where it was obtained, how it is being used, and whether it is being disclosed or sold to other parties and, if so, to whom it is being disclosed or sold
  • The right to access that personal information free of charge up to two times within a 12-month period
  • The right to opt out of allowing a business to sell their personal information to third parties
  • The right to have a business delete their personal information, except for information that is required to effect a transaction or comply with other regulatory requirements.
  • The right to receive equal service and pricing from a business, even if they have exercised their privacy rights under the CCPA.

According to the National Conference of State Legislatures (NCSL) 17 statesOff-site link have mandated that their governmental websites and access portals state privacy policies and procedures. Additionally, other states have privacy laws related to privacy, such as children's online privacy, the monitoring of employee email, and e-reader policies.

Take On Payments has previously discussed the numerous efforts to introduce federal legislation regarding privacy and data breach notification with little traction. So why do I think change is in the air? The growing trend of states implementing privacy legislation is putting pressure on Congress to take action in order to have a consistent national policy and process that businesses operating across state lines can understand and follow.

What do you think?

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

-payments">Retail Payments Risk Forum at the Atlanta Fed