Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?
February 19, 2019
Acute Audit Appendicitis
My son came home from school the other day and told me that his friend’s kidney had "popped." With great concern and further investigation, I found out that his friend had suffered from appendicitis but had since recovered. Luckily, fifth grade boys and most of the human race can get along fine without an appendix. And, as it turns out, there is another type of appendix people can live without: Appendix Eight—Audit Requirements—in the NACHA Operating Rules. NACHA members recently voted to cut this part out.
But wait—don’t celebrate too soon. The change doesn’t eliminate the requirement to conduct an annual ACH rules compliance audit. Rather, members voted to modify "the Rules to provide financial institutions [FI] and third-party service providers with greater flexibility in conducting annual Rules compliance audits." Specifically, the change—which was effective January 1, 2019—affected the following areas of the NACHA Operating Rules:
- Article One, Subsection 1.2.2 (Audits of Rules Compliance): Consolidates the core audit requirements described within Appendix Eight under the general obligation of participating DFIs and third-party service providers/senders to conduct an audit.
- Appendix Eight (Rule Compliance Audit Requirements): Eliminates the current language contained within Appendix Eight; combines relevant provisions with the general audit obligation required under Article One, Subsection 1.2.2.
FIs and ACH payment processors must still conduct, either internally or outsourced, an annual audit of their compliance with the ACH rules each year. They also must retain adequate proof of completion for no less than six years and may, during that term, need to provide proof to NACHA or a regulator. And they will have to adjust their audit methodologies to ensure that they comply with all relevant rules rather than just rely on the former Appendix Eight checklist.
The new audit process necessitates a risk-based approach, which is a strategy regulators have been encouraging in recent years. With so many emerging technologies, products, and services in the payments industry, FIs and ACH payment processors can no longer take a one-size-fits-all approach for compliance. They also no longer have a single access point to ACH—rather, they must consider many access points when auditing for Rules compliance.
These institutions may not have previously had to take into account other areas that touch payments. For example, the risk-based audit doesn’t explore just the deposit operations department; it analyzes how the whole enterprise interacts with ACH systems. Additionally, it may need to include loan operations, online account opening, person-to-person (P2P) products, investment management, and other new digital channels.
Life without Appendix Eight will be an adjustment, but its removal won’t be fatal. I think ACH participants will recover quickly and be even healthier—embracing the new risk-based compliance model will likely strengthen enterprise risk management and promote increased safety and stability in our payment systems.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 5, 2018
Webinar to Explore Faster Settlement and Funds Availability
"I'd gladly pay you Tuesday for a hamburger today." Have you ever thought of this comical catchphrase, spoken by the character J. Wellington Wimpy in the long-running comic strip Popeye, when you hear conversations about faster payments? Hamburgers and jokes aside, there are important considerations for getting paid tomorrow for an agreement or exchange made today. That's why the main ingredient to faster payments is settlement.
Settlement provides the decisive transfer of funds between participants. In today's world, we want everything fast, especially money owed to us. A business that waits two to four days for an ACH transaction to process may be waiting too long. The ACH network has recently expedited settlement and now funds availability. Effective March 16, 2018, phase 3 of Same-Day ACH will roll out, making ACH funds availability faster than ever. However, there are still options and business cases that influence how services might be made available to participants. After all, a faster settlement is more than a credit risk discussion.
The Atlanta Fed's Retail Payments Risk Forum is hosting a Talk About Payments (TAP) webinar to discuss the new faster funds availability that Phase 3 of Same-Day ACH will usher in.
The TAP discussion will explore opportunities this faster payment option makes available, along with risk considerations. We encourage financial institutions, retailers, payments processors, law enforcement, academics, and other payments system stakeholders to participate. Participants will be able to submit questions during the webinar.
The TAP webinar—titled "A New Faster Payment Settlement"—will take place on Wednesday, March 14, from 1 to 2 p.m. (ET). Participation in the webinar is complimentary, but you must register in advance at the TAP webinar web page. After completing registration, you will receive a confirmation email with all the log-in and toll-free call-in information.
We hope you will join us for our next TAP webinar March 14.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 14, 2017
Extra! Extra! Triennial Payments Data Available in Excel!
In countless old black-and-white movies, street newspaper vendors would shout out the latest sensational news from hot-off-the-press special editions. The Fed is no different in that we want to shout out that it is no longer necessary to mine the PDF-based Federal Reserve Payments Study report to extract the study's data. For the first time, we are offering our entire aggregated data set of estimated noncash payments in an Excel file. The report accompanying the data is here.
The data set is very rich and covers the following categories:
Accounts and cards
Private-label credit processors
|Checks||Person-to-person and money transfer|
|ACH||Online bill pay|
|Non-prepaid debit||Walk-in bill pay|
|General-purpose prepaid||Private-label ACH debit|
|Private-label prepaid issuers & processors||Online payment authentication|
|General-purpose credit||Mobile wallet|
|Private-label credit merchant issuers|
Here is another table that is just one extract from the non-prepaid debit card portion of the extensive payments data available.
To get a taste of what this data can teach us, let's look closer at the cumulative volume distribution by payment dollar value threshold for non-prepaid debit cards (the data are shown above) along with general-purpose credit cards. The number and value of both types of payments grew substantially from 2012 to 2015, the last two survey periods. The chart compares these distributions, showing more vividly how this growth affected the relative proportions of payments of different dollar values.
For example, debit card payments below $25 accounted for 59.1 percent of all payments in 2012 versus 61.8 percent in 2015—evidence that debit card purchases are migrating to lower ticket amounts. The trend is even more dramatic over the same time span for general-purpose credit cards.
Because this is a distribution, increases in the relative number of small-value payments must be offset by decreases in the relative number of large-value payments. Unfortunately, our previous survey capped the payment threshold at $50 in 2012. Otherwise, we would see the dashed 2012 lines crossing over the solid 2015 lines at some payment value threshold above $50. In brief, the results suggest cash payments are continuing to migrate to debit cards, while credit cards may be garnering some share at the expense of both cash and debit cards.
The challenge is on for you data analysts out there. Please share your findings.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed