Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

January 9, 2017

The Year in Review

As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.

Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.

Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.

Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.

Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.

Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.

EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.

Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.

Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.

All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.

Photo of Mary Kepler
Mary Kepler
Photo of Julius Weyman
Julius Weyman
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Washington
Photo of Steven Cordray
Steven Cordray

 

November 7, 2016

The Downside of a Wide Paintbrush

Fall is the time of the year that I normally do my exterior home painting and touchup. During the summer, I noticed that my deck and stair metal support poles were a bit dull and had some rust spots, so that was to be my project. The poles have a 4-inch diameter, so I was in a bit of a quandary over the best width paintbrush to use—a 2-inch or a 4-inch. The 4-inch brush would provide faster coverage so my football-game-watching time wouldn't be compromised, but the 2-inch brush would give me greater control and reduce drips and splatters. I went with the expedient choice, and it turned out to be a mistake, as my coverage was uneven with plenty of drips and splatters.

I mention this story because I recently appeared at the National ATM Council's (NAC) annual conference. NAC is an industry trade organization representing nonfinancial-institution ATM owners/operators in the United States. I was asked to speak primarily about the Fed's research into the use of cash as well as the current chip card and terminal deployment status. After my presentation and in the subsequent days of the conference, I was approached by a number of owners/operators telling me that their banks had recently terminated their longstanding relationships; they were deemed to be "high risk" since they were in the currency business. Many were scrambling to establish new banking relationships and wondering why this was happening.

Being an old ATM guy, I was a bit surprised hearing about this action due to the built-in controls on ATM currency settlement and reconciliation that severely limit the ability for an ATM owner/operator to launder money through an ATM. It would be very easy for the bank to spot an imbalance if the money being replenished far exceeded the currency paid out by the ATM. There is still the concern, of course, regarding the initial load (deposit) to establish the account to ensure that those are legitimate funds, but that concern exists with the establishment of all banking relationships by any type of business.

Financial institutions certainly have the obligation to develop a risk management strategy and determine which types of business activities they deem acceptable versus those considered high risk. Supporting ATM operators with their currency needs could be considered a niche business with some unique requirements and may not be the best allocation of resources for all financial institutions. At the same time, bankers may not want to paint a business with the wide brush of "high risk" just because they deal with currency as a major part of their business operation. To do so may force many of these operators to shutter their units, which often are located in areas where there is not a wide choice of ATM locations.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 2, 2015

Security at the ATM: We Have Some Educating to Do

ATM Marketplace recently published its 2015 triennial research report, which includes results of a poll of U.S. consumers on various issues related to ATMs. The online poll was conducted with a panel of 550+ individuals creating a representative sample of the adult (aged 18–65 years) population. Certain findings from the report stand out, in particular those related to consumers' expectations of various aspects of ATM transaction risk.

One question probed how concerned the respondent was about a skimming or camera device capturing their card information and PIN when they use the ATM. Thirty-eight percent indicated they were very concerned, but the remaining 61 percent indicated they were not that concerned or weren't even aware of what a skimming device is. The pie chart below breaks down each response.

01

Does the lack of concern come from a lack of education, or is it because the respondent knows the financial institution will have to bear the financial liability?

One of the final questions in the poll was whether the respondent felt an EMV card would make an ATM transaction more secure. As the chart below shows, more than half of the respondents believed there would be at least some level of improved security.

02

Of great concern to me is the 15 percent who indicated they don't know what an EMV card is. Of the two groups who mostly reported this lack of knowledge, one was the youngest (18–24) group, which surprised me. These younger people are supposed to be more tech-savvy than the rest of us. But of even greater surprise was that almost one-third (31 percent) of the most affluent group (those with a household income more than $150,000) responded they don't know what an EMV card is.

Clearly, the financial industry has a lot of educating to do as credit and debit card issuers ramp up their EMV card issuance in advance of the point-of-sale liability shift on October 1, 2015. While the ATM liability shift for domestic MasterCards won't be until October 2016 and Visa cards, a year later, it's never too early to begin or continue educational initiatives.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 8, 2014

Under Pressure: The Fate of the Independent ATM Operators

The ATM industry in the United States is facing many challenges. For one, the interchange rates that networks pay to ATM owners have been halved over the last five years, transaction surcharges are topping off, and operating expenses are escalating. These financial strains may be hardest for the thousands of small business entrepreneurs in the United States who own and operate ATMs independent of those that belong to financial institutions (FIs). (Non-FI owners/operators are responsible for an estimated 65 percent of all U.S. ATMs.) For another, at least for the small-business independents, a changing landscape is placing pressure on the relationships the independent owners/operators have with their FIs.

I recently attended and spoke at the National ATM Council's (NAC) annual conference. NAC is a nonprofit national trade association that represents the business interests of these non-FI ATM owners and operators. During the conference, I spoke with many of the attendees to learn more about the key drivers and concerns of their business. The biggest concern many owners/operators expressed is their sponsoring FI will classify them as a high-risk business and terminate their banking relationship. (Many FIs are in the process of "de-risking" their portfolios.) FIs may mistakenly classify these operators as money service businesses (MSB), since they dispense cash, even though state regulators do not consider them as such. Two factors are contributing to this confusion: guidance from the FFIEC's examiner manual that cautions financial institutions that criminals can use ATMs to launder funds, and an organizational structure that has sub-ISOs (that is, independent sales organizations), which can make ownership of all the ATMs unclear.

In actuality, the ability of ATM operators to launder money through an ATM is quite restricted beyond the initial funds placed in the terminal. The processors and networks, which are totally independent from the owners, generate financial reports that show the amount of funds that an ATM dispenses in any given period. So if the reports show an ATM paid out $5,000 in a month, the ATM owner can only justify resupplying the ATM with $5,000, plus a little reserve. In other words, controls maintained by independent parties clearly document the funds flowing through the ATM. Additionally, the non-FI sponsorships are dominated by four highly regarded financial institutions with strict AML/BSA programs that validate the initial funding of the ATM and monitor ongoing activity.

My advice to the group to try to avoid having their business relationship questioned or, worse, terminated, was to work proactively with the financial institution providing their settlement service and cash supply needs. Make sure their account officers understand how their businesses operate and know the controls that are in place to make money laundering unlikely to happen. And if you work for an FI that works with non-FI ATM owners/operators, don’t be surprised if they come calling on you.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed