Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
September 7, 2021
Happy 50th Birthday, ATM
I am an old ATM (automated teller machine) guy, having managed a small network early in my banking career in the 1970s. That was when ATMs first began making their appearance on the walls of banking offices as a way to extend banking convenience to customers. During my years as a management consultant, I was fortunate to have been involved in the formation of several statewide ATM networks that evolved into regional, national, and international debit (ATM and debit POS) networks. Now that the ATM in the United States has passed its 50th birthday, what has it become and what does the future hold for it?
While the ATM has always been primarily a cash dispenser, there were efforts over the early years to introduce new functionality to generate additional revenue. Several banks unsuccessfully attempted to use it to sell postage stamps or transit fare cards. They realized that these types of alternative products required frequent resupply visits, which drove up servicing costs. Another marketing effort included selling advertisements on the back of transaction receipts, but since most receipts ended up in the ATM’s trash can, this, too was short-lived.
The introduction of a Windows operating system with its graphical capability opened a new range of functionality, with on-screen advertising now being played during previous "Please Wait" static instruction screens. Some ATM operators experimented with selling concert and other local event tickets. Such efforts were quickly abandoned when customers wanting quick access to their cash were forced to wait for minutes behind someone deciding on the best seat selection.
A major change in the ATM landscape took place in 1996, when Congress expressly excluded ATMs from being considered branches and eliminated geographical restrictions. Not only did this change create a major expansion of bank-owned, off-premise ATMs, but it also created the opportunity for independent ATM deployers to place ATMs in retail locations. Today, ATMs/cash dispensers owned and operated by nonfinancial institutions represent more than 60 percent of the machines in the United States.
ATMs have played a vital role during the COVID-19 pandemic in maintaining banking services for consumers while banking offices were closed or operating with reduced hours or staffing levels. Many ATMs use imaging for check and cash deposits. Reported usage has increased significantly. With all the successes and failures throughout the ATM’s history, one thing has been consistent for 50 years: the cash dispensers. They are and have always been an excellent tool to handle that functionality 50 years after their introduction. Talk about standing up to the test of time!
So, what is next for the ATM? The Consortium for Next Gen ATMs, representing more than 400 companies in 55 countries, has been working for the last five years to develop a globally interoperative software platform for APIs (for application programming interface) for the ATM to support additional functionality such as interactive teller sessions and cardless and contactless transaction support. Our readers have seen previous posts documenting the reduced usage of cash, especially by millennials. The ATM industry is looking to explore new avenues of service and revenue to offset reduced transaction volume.
Are there any additional functions you would like to see at your ATM? We would enjoy hearing your perspective on the ATM’s future.
August 30, 2021
Is Quantum Computing This Generation's Y2K?
I have a clear memory of December 31, 1999, when the world held its collective breath as the clock ticked down to the new millennium. Were we prepared, or would the doomsday predictions of chaos following a worldwide breakdown of computer infrastructures come to pass? As we now know, midnight came and went and as the sun rose in the east, all was well. Twenty-plus years on from the millennium bug, could developments in quantum computing be this generation's Y2K event? At least with Y2K, we knew when it would happen.
The computer hardware and software we use today operate on a binary number system, combinations of ones and zeroes used in programing code and mathematical formulas ranging from the simple to complex. These binary digits, known as bits, form the basis of digital data. To protect digital data from being manipulated in unauthorized ways, various levels of encryption are employed for data storage and transmission, with 2048-bit RSA cryptography being one of the most common formats. RSA cryptography uses a combination of a public encryption key to transmit data and a private decryption key held by the receiver. (RSA stands for Rivest, Shamir, Adleman—the names of the creators.)
"Man in the middle" attacks occur when cybercriminals intercept secure data transmissions and private decryption keys, often through phishing, malware, and Wi-Fi eavesdropping. While not unbreakable, 2048-bit RSA encryption is considered nearly impenetrable because traditional computers have limitations in their processing capabilities. Estimates for the time it would take for a computer using today's most robust processing capabilities to decrypt a 2048-bit algorithm run from several hundred million to several hundred billion years.
However, quantum computing has the theoretical ability to perform this same calculation in a matter of seconds, minutes, or hours. For this reason, quantum computing has the potential to create significant disruption in data security across all public and private industries.
Unlike traditional computing's use of a binary system, quantum computing uses quantum bits, or qubits, as the basic unit of quantum data. Often compared to the physics theory of Schrödinger's cat, where the cat can be simultaneously alive and dead, qubits can have more than one value at the same time, referred to as superposition, where the qubit travels all possible paths at once. In traditional computing, a bit is either a one or a zero. In quantum computing, a qubit can be both a one and a zero at the same time. Qubits and superposition form the foundation of quantum computing and are the source of its never-before-seen processing power.
In the next 20 years, quantum computing capabilities may likely reach the point that 2048-bit RSA encryption is no longer secure, leaving public and private industries exposed. In 2016, the Computer Security Resource Center of the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, initiated work to develop post-quantum cryptography standards. The goal of this work is to develop encryption algorithms that protect systems against attacks from both traditional and quantum computers. Interoperability with existing communications protocols and networks is an additional goal of the Computer Security Resource Center's work.
The potential risks of quantum computing touch all industries, businesses, and consumers, underscoring the need to be informed and risk-aware. Is quantum computing on your organization's information security radar? Are steps being taken to determine your organization's quantum computing risks? Or are we all just holding our collective breath?
August 23, 2021
A Mindset Shift among the Younger Generation
Back in 2019, I wrote a post about millennials being risk-averse when it comes to finances. This is largely due to a number of financial hurdles and crises they had to face growing up—the 9/11 attacks, the Great Recession, an unstable job market—all events that negatively shaped this generation's attitudes toward taking financial risks and the financial system in general. In fact, a survey found that of the millennials in credit card debt, more than a third said "debt is the scariest aspect of their daily lives," more so than the thought of dying or of war. Move ahead two years and here we are in another global crisis, with the younger generation taking yet another economic hit. According to some research from the Federal Reserve Bank of St. Louis on employment between 2000 and 2020, "weakness in the job market in 2020 was experienced very differently across age groups and genders. Young men and women [born after 1985] felt the greatest impact of lower employment during that period."
The pandemic has forced everyone to rethink many things: how we work, how we conduct business, how we communicate with others, and how we use technology, among other things. But could it have helped push millennials and Gen Z-ers to think more positively about taking financial risks? As my Risk Forum colleague Claire Greene noted in her recent blog post, millennials became more likely to have a credit card during the pandemic in 2020—66 percent of millennials had a credit card in 2019, and nearly 80 percent did in 2020. In addition, more millennials are buying homes now and are opting into other long-term investments rather than spending money on rent and more short-term activities.
Of course, it's important to point out that this change in millennial behavior may not be solely attributable to COVID-19, but I believe the pandemic may have been a factor. A study the Pew Research Center conducted showed that in July 2020, a majority of young adults (ages 18–29) in the United States resided with one or both of their parents, something that hasn't happened since the Great Depression. A number of relief measures offered in response to the pandemic—interest rate cuts, economic impact payments, student loan payment deferments, and flexible credit card repayment options, coupled with the money saved from living with mom and dad—could all have contributed to millennials' decisions to take more financial risks. Other factors independent of the pandemic, such as the increased availability of financial education tools and millennial-centric innovations in financial technology, may have also contributed. Whatever the reasons, I'm happy to see that taking financial risks is being viewed more positively among the younger generation, despite all the chaos of this past year.
August 16, 2021
Consumer Banking and Dental Woes
I have been unhappy with my personal banking relationship for some time. Most of my dissatisfaction stems from the fact that my debit card doesn't work outside the state where I live due to what I view as onerous risk controls the institution has implemented, such as requiring customers to provide advanced notice of interstate travel. But I've resisted changing banks because—let's face it—establishing a new banking relationship is about as unpleasant as having to undergo a root canal. I'd have to change direct deposits, electronic debits, and online bill pay; get a new online banking app; and, broadly, establish a new history and customer relationship. An executive order issued on July 9 aims to make this process a lot less painful for consumers.
The Executive Order on Promoting Competition in the American Economy contains several dozen proposed initiatives across numerous federal agencies, but the intended outcome that stood out to me most was:
Make it easier and cheaper to switch banks by requiring banks to allow customers to take their financial transaction data with them to a competitor.
At the heart of this initiative is the concept of open banking, defined by the Boston Fed report Modernizing US Financial Services with Open Banking and APIs as "a system that offers businesses and customers a range of products and services based on open flows of data." In October 2020, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemaking to standardize how consumers access their financial data or obtain a record of consumer-authorized third parties with access to their financial data. The July 9 executive order seeks to build on this consumer access "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions."
The United States lags behind the UK and the European Union (EU), who both legislated consumers' right to data portability in 2018 under their respective General Data Protection Regulation. In the United States, only California, with its Consumer Privacy Act, has legislated consumer data portability.
In the UK, data portability is supported by a set of software standards, employed by participating organizations, that includes specifications for common secure APIs (application programming interfaces) as part of the country's overall Open Banking Standards. The EU's Revised Directive on Payment Services, known as the PSD2, established in 2019 an open banking framework that allows authorized third-party providers to access a consumer's account information using APIs that are provided upon request by the sending financial institution. US standards are a necessary, but as yet undefined, component to achieving data portability, whether through industry cooperation and collaboration or through regulatory mandates.
Recently, my colleague Doug King blogged about upcoming suggested regulatory guidance in the United States on third-party risks. What are the potential cybersecurity risks for organizations if their open banking APIs were to somehow be compromised? What might this mean for other organizations that use the same APIs? Does open banking create additional risks to consumers' data and privacy?
Given the time needed to enact new consumer regulations, I will likely have to endure my personal banking woes for a while longer until I can easily and painlessly change banks. Meanwhile, it's time for a trip to the dentist.